File name:

bbi.9512681005.exe

Full analysis: https://app.any.run/tasks/888a07bc-cad9-4821-816d-d53049d7f91c
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: July 13, 2025, 05:06:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-sch
gh0st
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:

8B85143F130B1EDE2A3113D75928EF75

SHA1:

2BD1720AE859062176F029DA060DF0DA4FF4516C

SHA256:

9C90B3FFDFFCF2DB7716C2C556DC633F9DDDC471748753C34449F7314A73F5CB

SSDEEP:

393216:UwehHMdHsYffHuaZEkPWLMELfG2c/ijqnLbuAJ+9t:MM1NWLMoG28ieGxt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • bbi.9512681005.exe (PID: 6240)
      • bbi.9512681005.exe (PID: 3820)

    • Modifies exclusions in Windows Defender

      • reg.exe (PID: 6388)
      • reg.exe (PID: 1512)
      • reg.exe (PID: 4864)
      • reg.exe (PID: 6124)
      • reg.exe (PID: 6036)
      • reg.exe (PID: 1484)
      • reg.exe (PID: 2380)
      • reg.exe (PID: 1324)
      • reg.exe (PID: 4580)
      • reg.exe (PID: 188)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6172)
      • cmd.exe (PID: 2320)
      • cmd.exe (PID: 6840)
      • cmd.exe (PID: 3396)
      • cmd.exe (PID: 1392)
      • cmd.exe (PID: 2076)
      • cmd.exe (PID: 5780)
      • cmd.exe (PID: 3160)
      • cmd.exe (PID: 3704)
      • cmd.exe (PID: 1332)

    • Uses NET.EXE to stop Windows Update service

      • cmd.exe (PID: 5960)
      • net.exe (PID: 5708)

    • Gh0st has been detected

      • x1FEi7.exe (PID: 1200)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 5960)
      • net.exe (PID: 3980)
      • net.exe (PID: 5708)
      • net.exe (PID: 2180)
      • net.exe (PID: 3940)

    • Changes the Windows auto-update feature

      • reg.exe (PID: 6140)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6472)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • bbi.9512681005.exe (PID: 6240)
      • bbi.9512681005.exe (PID: 3820)
      • vp8bn9.exe (PID: 7152)
      • x1FEi7.exe (PID: 1200)

    • Reads the date of Windows installation

      • bbi.9512681005.exe (PID: 6240)
      • vp8bn9.exe (PID: 7152)

    • Application launched itself

      • bbi.9512681005.exe (PID: 6240)

    • There is functionality for taking screenshot (YARA)

      • bbi.9512681005.exe (PID: 3820)

    • Executable content was dropped or overwritten

      • bbi.9512681005.exe (PID: 3820)
      • vp8bn9.exe (PID: 7152)
      • x1FEi7.exe (PID: 1200)

    • The process executes via Task Scheduler

      • vp8bn9.exe (PID: 7152)
      • vp8bn9.exe (PID: 6472)
      • cmd.exe (PID: 5744)
      • cmd.exe (PID: 6672)
      • cmd.exe (PID: 5008)
      • cmd.exe (PID: 3760)
      • cmd.exe (PID: 6552)
      • x1FEi7.exe (PID: 6192)
      • ppX7Npw.exe (PID: 6892)
      • cmd.exe (PID: 3644)
      • cmd.exe (PID: 4864)
      • cmd.exe (PID: 5500)
      • cmd.exe (PID: 2404)
      • cmd.exe (PID: 984)

    • Found strings related to reading or modifying Windows Defender settings

      • vp8bn9.exe (PID: 7152)
      • x1FEi7.exe (PID: 1200)

    • Starts CMD.EXE for commands execution

      • vp8bn9.exe (PID: 7152)
      • x1FEi7.exe (PID: 1200)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 2272)
      • schtasks.exe (PID: 7004)
      • schtasks.exe (PID: 4932)
      • schtasks.exe (PID: 3780)
      • schtasks.exe (PID: 5884)
      • schtasks.exe (PID: 5552)
      • schtasks.exe (PID: 1948)
      • schtasks.exe (PID: 4224)
      • schtasks.exe (PID: 6948)
      • schtasks.exe (PID: 1044)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5744)
      • cmd.exe (PID: 6672)
      • cmd.exe (PID: 5008)
      • cmd.exe (PID: 3760)
      • cmd.exe (PID: 6552)
      • cmd.exe (PID: 3644)
      • cmd.exe (PID: 4864)
      • cmd.exe (PID: 5500)
      • cmd.exe (PID: 2404)
      • cmd.exe (PID: 984)
      • cmd.exe (PID: 5960)

    • Creates file in the systems drive root

      • x1FEi7.exe (PID: 1200)
      • cmd.exe (PID: 1156)

    • Hides command output

      • cmd.exe (PID: 5960)

    • The process deletes folder without confirmation

      • x1FEi7.exe (PID: 1200)

    • Windows service management via SC.EXE

      • sc.exe (PID: 3580)
      • sc.exe (PID: 1976)
      • sc.exe (PID: 2808)
      • sc.exe (PID: 5552)
      • sc.exe (PID: 6536)
      • sc.exe (PID: 5140)
      • sc.exe (PID: 3948)
      • sc.exe (PID: 3488)

    • Connects to unusual port

      • x1FEi7.exe (PID: 1200)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 5960)

    • Creates or modifies Windows services

      • reg.exe (PID: 3720)
      • reg.exe (PID: 4520)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 6472)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5960)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 5960)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5960)

  • INFO

    • The sample compiled with english language support

      • bbi.9512681005.exe (PID: 6240)
      • bbi.9512681005.exe (PID: 3820)
      • vp8bn9.exe (PID: 7152)
      • x1FEi7.exe (PID: 1200)

    • Reads the computer name

      • bbi.9512681005.exe (PID: 6240)
      • bbi.9512681005.exe (PID: 3820)
      • vp8bn9.exe (PID: 7152)
      • x1FEi7.exe (PID: 1200)
      • ppX7Npw.exe (PID: 6892)
      • x1FEi7.exe (PID: 6192)

    • Checks supported languages

      • bbi.9512681005.exe (PID: 6240)
      • bbi.9512681005.exe (PID: 3820)
      • vp8bn9.exe (PID: 6472)
      • vp8bn9.exe (PID: 7152)
      • x1FEi7.exe (PID: 1200)
      • x1FEi7.exe (PID: 6192)
      • ppX7Npw.exe (PID: 6892)

    • NirSoft software is detected

      • bbi.9512681005.exe (PID: 6240)
      • bbi.9512681005.exe (PID: 3820)

    • Process checks computer location settings

      • bbi.9512681005.exe (PID: 6240)
      • vp8bn9.exe (PID: 7152)
      • x1FEi7.exe (PID: 1200)

    • Reads the software policy settings

      • bbi.9512681005.exe (PID: 3820)
      • vp8bn9.exe (PID: 7152)
      • slui.exe (PID: 6268)

    • Reads the machine GUID from the registry

      • bbi.9512681005.exe (PID: 3820)
      • vp8bn9.exe (PID: 7152)

    • Creates files or folders in the user directory

      • bbi.9512681005.exe (PID: 3820)
      • vp8bn9.exe (PID: 7152)

    • Checks proxy server information

      • bbi.9512681005.exe (PID: 3820)
      • vp8bn9.exe (PID: 7152)
      • slui.exe (PID: 6268)

    • Launching a file from Task Scheduler

      • cmd.exe (PID: 6172)
      • cmd.exe (PID: 2320)
      • cmd.exe (PID: 6840)
      • cmd.exe (PID: 3396)
      • cmd.exe (PID: 1392)
      • cmd.exe (PID: 2076)
      • cmd.exe (PID: 3704)
      • cmd.exe (PID: 5780)
      • cmd.exe (PID: 3160)
      • cmd.exe (PID: 1332)

    • Creates files in the program directory

      • vp8bn9.exe (PID: 7152)
      • x1FEi7.exe (PID: 1200)

    • Manual execution by a user

      • cmd.exe (PID: 2276)

    • Changes file name

      • cmd.exe (PID: 5960)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:08 11:05:13+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 8
CodeSize: 215040
InitializedDataSize: 88064
UninitializedDataSize: -
EntryPoint: 0x28250
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 3.5.4.0
ProductVersionNumber: 3.5.4.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: NirSoft
FileDescription: OutlookAttachView
FileVersion: 3.54
InternalName: OutlookAttachView
LegalCopyright: Copyright © 2009 - 2025 Nir Sofer
OriginalFileName: OutlookAttachView.exe
ProductName: OutlookAttachView
ProductVersion: 3.54
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
258
Monitored processes
122
Malicious processes
5
Suspicious processes
21

Behavior graph

Click at the process to see the details
start bbi.9512681005.exe no specs bbi.9512681005.exe slui.exe vp8bn9.exe no specs vp8bn9.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs reg.exe no specs #GH0ST x1fei7.exe x1fei7.exe no specs ppx7npw.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs net.exe no specs schtasks.exe no specs net1.exe no specs schtasks.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs schtasks.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs sc.exe no specs net.exe no specs net1.exe no specs sc.exe no specs sc.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /fC:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
416SCHTASKS /Run /TN "Task1" C:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
856icacls C:\Windows\System32\WaaSMedicSvc_BAK.dll /setowner "NT SERVICE\TrustedInstaller" C:\Windows\SysWOW64\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
868SCHTASKS /Run /TN "Task1" C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
984"cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files (x86)" /t REG_DWORD /d 0 /fC:\Windows\System32\cmd.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1044\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1044SCHTASKS /Delete /TN "Task1" /FC:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1056takeown /f C:\Windows\System32\wuaueng.dll C:\Windows\SysWOW64\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1100icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F C:\Windows\SysWOW64\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1156cmd /c echo.>c:\xxxx.iniC:\Windows\SysWOW64\cmd.exex1FEi7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
13 952
Read events
13 927
Write events
25
Delete events
0

Modification events

(PID) Process:(3820) bbi.9512681005.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3820) bbi.9512681005.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3820) bbi.9512681005.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3820) bbi.9512681005.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\JDBCC
Operation:writeName:data
Value:
6B594C434E656169784A66435851644335374B364676474E59585865545A6C652A2F26FE006927F645DEFEFE9684888F9D90D09C8D96FEFECDDDFEFECFCBCFD0CCCBCAFE
(PID) Process:(6388) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Operation:writeName:C:\Users\admin\Documents
Value:
0
(PID) Process:(1512) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Operation:writeName:C:\ProgramData
Value:
0
(PID) Process:(7152) vp8bn9.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7152) vp8bn9.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7152) vp8bn9.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4864) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Operation:writeName:C:\Users
Value:
0
Executable files
7
Suspicious files
14
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
3820bbi.9512681005.exe\Device\Mup:\localhost\pipe\atsvc
MD5:
SHA256:
3820bbi.9512681005.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_FA4759C1FDA1D5B56F6A969553761240binary
MD5:8624439B7CF1DEBE0F65DF4517368CA2
SHA256:D6BAB8C2653FAE1E9243E62CC19C5336584E2F5EFAEC98A9DD8865EFAF5A0B66
3820bbi.9512681005.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D077F3BA01F0F2293C650040B1B80D25_6D3E637EF298B0B771B990E3718E351Bbinary
MD5:74740312D2A6575128BE52107AEFA9CB
SHA256:86EC5E21D59EF0AACFEE9145CC4F9232E8859E543078EBA4981B1CD12D9306D2
3820bbi.9512681005.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D077F3BA01F0F2293C650040B1B80D25_6D3E637EF298B0B771B990E3718E351Bbinary
MD5:950FD813164DBD07D7EB23160404D5D9
SHA256:D99FB88AB992164F45BBC9078B5EE58705C65DE2DD9C25D6812131139A89C5F9
3820bbi.9512681005.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81Bbinary
MD5:8DDEFBAB3ED9C7CF3C4177E4C5D2EE6D
SHA256:D468E9D609A336B8ECF256E260027FBFDAE50043C54BB1FBA15397044416015C
3820bbi.9512681005.exeC:\Users\admin\Documents\eToken.dllexecutable
MD5:2F78E16B42FEBBDD7C7F52214420122F
SHA256:E13B149F806CF6F7AE5ABCDD9F1F27B3A9973032ACD7B7A42AE0DBA150CF8634
3820bbi.9512681005.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\tad[1]binary
MD5:5259F1B4082E9B3ECE95EEB8393532ED
SHA256:4BC430C57D26C0E7978528E228D56882F3BE36ED52407FD75502034046918769
7152vp8bn9.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\FOM-51[1].jpg
MD5:
SHA256:
3820bbi.9512681005.exeC:\Users\admin\Documents\perfi.dbbinary
MD5:5FE995E30571C987BFB20EA951CF1356
SHA256:3DADE3E9041C8672E17A46FFA00C21049294B32A350B4B5C3A66D9A29B5AD3F9
7152vp8bn9.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\FOM-52[1].jpg
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
38
DNS requests
24
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3668
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7060
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3668
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3820
bbi.9512681005.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D
unknown
whitelisted
3820
bbi.9512681005.exe
GET
200
151.101.194.133:80
http://ocsp2.globalsign.com/rootr3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEQCB5auY5G81uRwv%2BheHGMha
unknown
whitelisted
3820
bbi.9512681005.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/gsgccr3ovtlsca2024/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBT%2BeHEVW1om2JjNh%2BetTEbfp%2BiVWQQU2tOoCEgMNDdY7uWndS5Z%2FNbcPDgCDGoU2jZTCYsOlM1t7g%3D%3D
unknown
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
7152
vp8bn9.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/gsgccr3ovtlsca2024/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBT%2BeHEVW1om2JjNh%2BetTEbfp%2BiVWQQU2tOoCEgMNDdY7uWndS5Z%2FNbcPDgCDAu5CNI2gOuRwtqS8g%3D%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6376
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7060
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7060
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 40.126.32.68
  • 40.126.32.72
  • 20.190.160.20
  • 20.190.160.131
  • 20.190.160.64
  • 40.126.32.134
  • 20.190.160.67
  • 20.190.160.3
  • 20.190.160.132
  • 20.190.160.130
  • 40.126.32.76
  • 20.190.160.128
  • 20.190.160.4
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
3820
bbi.9512681005.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
2200
svchost.exe
Misc activity
ET INFO DNS Query to Alibaba Cloud CDN Domain (aliyuncs .com)
7152
vp8bn9.exe
Misc activity
ET INFO Observed Alibaba Cloud CDN Domain (aliyuncs .com in TLS SNI)
Process
Message
x1FEi7.exe
Thread running...
x1FEi7.exe
Thread running...
x1FEi7.exe
Thread running...
x1FEi7.exe
Thread running...
x1FEi7.exe
Thread running...
x1FEi7.exe
Thread running...
x1FEi7.exe
Thread running...
x1FEi7.exe
Thread running...
x1FEi7.exe
Thread running...
x1FEi7.exe
Thread running...
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bbi.9512681005.exe