File name:

paco.exe

Full analysis: https://app.any.run/tasks/0d6c0f91-d627-45f5-937d-1163b8d737ae
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: February 18, 2025, 05:39:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xor-url
generic
mimic
ransomware
confuser
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

33EEEB25F834E0B180F960ECB9518EA0

SHA1:

61F73E692E9549AD8BC9B965E25D2DA683D56DC1

SHA256:

9F6A696876FEE8B811DB8889BF4933262F4472AD41DAEA215D2E39BD537CF32F

SSDEEP:

98304:ODQPps2E6S1RNJ31LawGx8lh6fPEXPYKzUyvtHLjAJ7MY2E8OilEHUXBAcbp5y4m:HhBAyBgh8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • ELPACO-team.exe (PID: 6944)

    • Known privilege escalation attack

      • dllhost.exe (PID: 3224)

    • XORed URL has been found (YARA)

      • svhostss.exe (PID: 5556)
      • svhostss.exe (PID: 4548)
      • svhostss.exe (PID: 5740)
      • svhostss.exe (PID: 4708)

    • Executing a file with an untrusted certificate

      • DC.exe (PID: 3840)
      • DC.exe (PID: 4188)

    • MIMIC has been detected (YARA)

      • svhostss.exe (PID: 5556)
      • svhostss.exe (PID: 4548)
      • svhostss.exe (PID: 4708)
      • svhostss.exe (PID: 5740)

    • Disables the Shutdown in the Start menu

      • svhostss.exe (PID: 5556)

    • Disables Windows Defender

      • DC.exe (PID: 3840)
      • DC.exe (PID: 4188)
      • DC.exe (PID: 6900)

    • UAC/LUA settings modification

      • svhostss.exe (PID: 5556)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6308)
      • powershell.exe (PID: 6336)
      • powershell.exe (PID: 4864)

    • Changes powershell execution policy (Bypass)

      • svhostss.exe (PID: 5556)

    • Changes image file execution options

      • svhostss.exe (PID: 5556)

    • Creates or modifies Windows services

      • DC.exe (PID: 6900)

    • RANSOMWARE has been detected

      • svhostss.exe (PID: 5556)

    • Renames files like ransomware

      • svhostss.exe (PID: 5556)

    • Drops known malicious document

      • svhostss.exe (PID: 5556)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • paco.exe (PID: 6528)
      • ShellExperienceHost.exe (PID: 5364)

    • Drops 7-zip archiver for unpacking

      • paco.exe (PID: 6528)
      • ELPACO-team.exe (PID: 6944)

    • Executable content was dropped or overwritten

      • paco.exe (PID: 6528)
      • 7za.exe (PID: 6676)
      • ELPACO-team.exe (PID: 6944)
      • svhostss.exe (PID: 5556)

    • Starts CMD.EXE for commands execution

      • paco.exe (PID: 6528)
      • svhostss.exe (PID: 5556)

    • Executing commands from ".cmd" file

      • paco.exe (PID: 6528)

    • There is functionality for taking screenshot (YARA)

      • Everything.exe (PID: 6016)
      • paco.exe (PID: 6528)

    • Application launched itself

      • svhostss.exe (PID: 5556)
      • DC.exe (PID: 4188)
      • DC.exe (PID: 3840)

    • The executable file from the user directory is run by the CMD process

      • DC.exe (PID: 3840)

    • Uses powercfg.exe to modify the power settings

      • svhostss.exe (PID: 5556)

    • Creates or modifies Windows services

      • svhostss.exe (PID: 5556)

    • Starts POWERSHELL.EXE for commands execution

      • svhostss.exe (PID: 5556)

    • Process drops legitimate windows executable

      • svhostss.exe (PID: 5556)

    • Creates file in the systems drive root

      • svhostss.exe (PID: 5556)

  • INFO

    • Create files in a temporary directory

      • paco.exe (PID: 6528)
      • 7za.exe (PID: 6676)
      • DC.exe (PID: 3840)

    • Reads the computer name

      • paco.exe (PID: 6528)
      • 7za.exe (PID: 6604)
      • 7za.exe (PID: 6676)
      • gui40.exe (PID: 1144)
      • svhostss.exe (PID: 5556)
      • ELPACO-team.exe (PID: 6944)
      • Everything.exe (PID: 6016)
      • DC.exe (PID: 3840)
      • svhostss.exe (PID: 5740)
      • svhostss.exe (PID: 4708)
      • ShellExperienceHost.exe (PID: 5364)
      • DC.exe (PID: 6900)
      • svhostss.exe (PID: 4548)
      • DC.exe (PID: 4188)

    • The sample compiled with english language support

      • paco.exe (PID: 6528)
      • 7za.exe (PID: 6676)
      • ELPACO-team.exe (PID: 6944)
      • svhostss.exe (PID: 5556)

    • Checks supported languages

      • 7za.exe (PID: 6604)
      • paco.exe (PID: 6528)
      • 7za.exe (PID: 6676)
      • svhostss.exe (PID: 5556)
      • gui40.exe (PID: 1144)
      • Everything.exe (PID: 6016)
      • ELPACO-team.exe (PID: 6944)
      • svhostss.exe (PID: 4708)
      • svhostss.exe (PID: 5740)
      • DC.exe (PID: 3840)
      • svhostss.exe (PID: 4548)
      • ShellExperienceHost.exe (PID: 5364)
      • DC.exe (PID: 4188)
      • DC.exe (PID: 6900)

    • Process checks computer location settings

      • paco.exe (PID: 6528)

    • Creates files or folders in the user directory

      • ELPACO-team.exe (PID: 6944)
      • svhostss.exe (PID: 5556)
      • gui40.exe (PID: 1144)

    • Reads the machine GUID from the registry

      • ELPACO-team.exe (PID: 6944)
      • gui40.exe (PID: 1144)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 3224)

    • Confuser has been detected (YARA)

      • gui40.exe (PID: 1144)

    • Reads mouse settings

      • DC.exe (PID: 3840)
      • DC.exe (PID: 4188)
      • DC.exe (PID: 6900)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6308)
      • powershell.exe (PID: 6336)

    • The sample compiled with Italian language support

      • svhostss.exe (PID: 5556)

    • The sample compiled with german language support

      • svhostss.exe (PID: 5556)

    • The sample compiled with japanese language support

      • svhostss.exe (PID: 5556)

    • The sample compiled with french language support

      • svhostss.exe (PID: 5556)

    • The sample compiled with korean language support

      • svhostss.exe (PID: 5556)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4864)

    • The sample compiled with turkish language support

      • svhostss.exe (PID: 5556)

    • The sample compiled with russian language support

      • svhostss.exe (PID: 5556)

    • The sample compiled with bulgarian language support

      • svhostss.exe (PID: 5556)

    • The sample compiled with portuguese language support

      • svhostss.exe (PID: 5556)

    • The sample compiled with spanish language support

      • svhostss.exe (PID: 5556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(5556) svhostss.exe
Decrypted-URLs (1)https://t.me/DataSupport911
(PID) Process(4548) svhostss.exe
Decrypted-URLs (1)https://t.me/DataSupport911
(PID) Process(5740) svhostss.exe
Decrypted-URLs (1)https://t.me/DataSupport911
(PID) Process(4708) svhostss.exe
Decrypted-URLs (1)https://t.me/DataSupport911
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:51+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 101888
InitializedDataSize: 87040
UninitializedDataSize: -
EntryPoint: 0x1942f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
212
Monitored processes
72
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start paco.exe 7za.exe no specs conhost.exe no specs 7za.exe conhost.exe no specs elpaco-team.exe conhost.exe no specs CMSTPLUA #XOR-URL svhostss.exe conhost.exe no specs gui40.exe no specs everything.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #XOR-URL svhostss.exe no specs #XOR-URL svhostss.exe no specs #XOR-URL svhostss.exe no specs dc.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dc.exe shellexperiencehost.exe no specs systray.exe no specs dc.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128C:\WINDOWS\System32\Systray.exe "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\System32\systray.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systray.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
440C:\WINDOWS\System32\Systray.exe "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\System32\systray.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systray.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1144C:\Users\admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\gui40.exeC:\Users\admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\gui40.exesvhostss.exe
User:
admin
Integrity Level:
HIGH
Description:
GUI
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\bd3fdddf-6caf-3ebc-d9cf-c8df72d8f78a\gui40.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1344\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1760C:\WINDOWS\System32\Systray.exe "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\System32\systray.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systray.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1768C:\WINDOWS\System32\Systray.exe "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\System32\systray.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systray.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2076powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0C:\Windows\System32\powercfg.exesvhostss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2364C:\WINDOWS\System32\Systray.exe "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\System32\systray.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systray.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2612powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0C:\Windows\System32\powercfg.exesvhostss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
21 466
Read events
21 424
Write events
40
Delete events
2

Modification events

(PID) Process:(6944) ELPACO-team.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:svhostss
Value:
"C:\Users\admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\svhostss.exe"
(PID) Process:(3224) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(5556) svhostss.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SDRSVC
Operation:writeName:Start
Value:
4
(PID) Process:(5556) svhostss.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wbengine
Operation:writeName:Start
Value:
4
(PID) Process:(5556) svhostss.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(5556) svhostss.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotocolhost.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(5556) svhostss.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchApp.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(5556) svhostss.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(5556) svhostss.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe
Operation:writeName:Debugger
Value:
C:\WINDOWS\System32\Systray.exe
(PID) Process:(3840) DC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableAntiSpyware
Value:
1
Executable files
234
Suspicious files
8 801
Text files
3 654
Unknown types
6

Dropped files

PID
Process
Filename
Type
6528paco.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dllexecutable
MD5:3B03324537327811BBBAFF4AAFA4D75B
SHA256:8CAE8A9740D466E17F16481E68DE9CBD58265863C3924D66596048EDFD87E880
6528paco.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything.exeexecutable
MD5:C44487CE1827CE26AC4699432D15B42A
SHA256:4C83E46A29106AFBAF5279029D102B489D958781764289B61AB5B618A4307405
66767za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything2.initext
MD5:51014C0C06ACDD80F9AE4469E7D30A9E
SHA256:89AD2164717BD5F5F93FBB4CEBF0EFEB473097408FDDFC7FC7B924D790514DC5
6528paco.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dllcompressed
MD5:245FB739C4CB3C944C11EF43CDDD8D57
SHA256:D180F63148FBBFCFD88AA7938AB88FCEA3881402B6617F4F3E152427AEB6C59C
66767za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\DC.exeexecutable
MD5:AC34BA84A5054CD701EFAD5DD14645C9
SHA256:C576F7F55C4C0304B290B15E70A638B037DF15C69577CD6263329C73416E490E
66767za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything.initext
MD5:742C2400F2DE964D0CCE4A8DABADD708
SHA256:2FEFB69E4B2310BE5E09D329E8CF1BEBD1F9E18884C8C2A38AF8D7EA46BD5E01
66767za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\global_options.inibinary
MD5:26F59BB93F02D5A65538981BBC2DA9CC
SHA256:14F93A82D99CD2BF3DA0ABA73B162A7BB183EDED695CFFFF47A05C1290D2A2FA
6944ELPACO-team.exeC:\Users\admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\DC.exeexecutable
MD5:AC34BA84A5054CD701EFAD5DD14645C9
SHA256:C576F7F55C4C0304B290B15E70A638B037DF15C69577CD6263329C73416E490E
6944ELPACO-team.exeC:\Users\admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeexecutable
MD5:0BF7C0D8E3E02A6B879EFAB5DEAB013C
SHA256:B600E06F14E29B03F0B1456723A430B5024816518D704A831DDE2DC9597CE9C9
6944ELPACO-team.exeC:\Users\admin\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\Everything2.initext
MD5:51014C0C06ACDD80F9AE4469E7D30A9E
SHA256:89AD2164717BD5F5F93FBB4CEBF0EFEB473097408FDDFC7FC7B924D790514DC5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
34
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6800
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3836
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3836
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3884
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2624
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
2.23.77.188:80
AKAMAI-AS
DE
unknown
1076
svchost.exe
92.123.18.10:443
go.microsoft.com
AKAMAI-AS
AT
whitelisted
5556
svhostss.exe
192.168.100.2:445
whitelisted
5556
svhostss.exe
192.168.100.1:445
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
login.live.com
  • 20.190.160.17
  • 40.126.32.140
  • 20.190.160.130
  • 20.190.160.65
  • 20.190.160.2
  • 40.126.32.74
  • 20.190.160.14
  • 20.190.160.67
whitelisted
go.microsoft.com
  • 92.123.18.10
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
paco.exe