File name:

1.exe

Full analysis: https://app.any.run/tasks/bc972e51-f1ed-4dbc-a253-3712af9e6cf9
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: August 19, 2024, 04:46:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
mimic
ransomware
xor-url
generic
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8E8198A591C3F22926AECB7090E2896C

SHA1:

709A31F07E1111FDFD6DE846F9718AC4804BC244

SHA256:

B44820E3E40E9E23FB3FCC125B880BEBC5DE4A8022069E5802B34FC75F664262

SSDEEP:

98304:ZDQPXs2E6S1RNJ31LawGx8lh6fPEXPYKzUyvtHLjAJ7MY2E8Oiiwf7jNONOnnCW3:Qh4+tHI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)
      • Datadecrypt.exe (PID: 4544)

    • Known privilege escalation attack

      • dllhost.exe (PID: 4788)

    • Disables Windows Defender

      • DC.exe (PID: 7132)
      • DC.exe (PID: 5440)
      • DC.exe (PID: 2360)

    • Disables the Shutdown in the Start menu

      • Datadecrypt.exe (PID: 4544)

    • Changes powershell execution policy (Bypass)

      • Datadecrypt.exe (PID: 4544)

    • UAC/LUA settings modification

      • Datadecrypt.exe (PID: 4544)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3548)
      • powershell.exe (PID: 5916)
      • powershell.exe (PID: 2340)

    • Creates or modifies Windows services

      • DC.exe (PID: 2360)

    • MIMIC has been detected (YARA)

      • Datadecrypt.exe (PID: 4544)
      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)
      • Datadecrypt.exe (PID: 6256)
      • Datadecrypt.exe (PID: 1812)
      • Datadecrypt.exe (PID: 1132)

    • XORed URL has been found (YARA)

      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)
      • Datadecrypt.exe (PID: 4544)
      • Datadecrypt.exe (PID: 1132)
      • Datadecrypt.exe (PID: 1812)
      • Datadecrypt.exe (PID: 6256)

    • Using BCDEDIT.EXE to modify recovery options

      • Datadecrypt.exe (PID: 4544)

    • Deletes shadow copies

      • Datadecrypt.exe (PID: 4544)

    • Starts CMD.EXE for self-deleting

      • Datadecrypt.exe (PID: 4544)

    • Changes image file execution options

      • Datadecrypt.exe (PID: 4544)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • 1.exe (PID: 6540)
      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)

    • Drops the executable file immediately after the start

      • 1.exe (PID: 6540)
      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)

    • Reads security settings of Internet Explorer

      • 1.exe (PID: 6540)
      • ShellExperienceHost.exe (PID: 5312)

    • Reads the date of Windows installation

      • 1.exe (PID: 6540)

    • Executable content was dropped or overwritten

      • 1.exe (PID: 6540)
      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)

    • Starts CMD.EXE for commands execution

      • 1.exe (PID: 6540)
      • Datadecrypt.exe (PID: 4544)

    • Executing commands from ".cmd" file

      • 1.exe (PID: 6540)

    • Creates file in the systems drive root

      • Datadecrypt.exe (PID: 4544)

    • Application launched itself

      • Datadecrypt.exe (PID: 4544)
      • DC.exe (PID: 7132)
      • DC.exe (PID: 5440)

    • Creates or modifies Windows services

      • Datadecrypt.exe (PID: 4544)

    • Uses powercfg.exe to modify the power settings

      • Datadecrypt.exe (PID: 4544)

    • Starts POWERSHELL.EXE for commands execution

      • Datadecrypt.exe (PID: 4544)

    • The executable file from the user directory is run by the CMD process

      • DC.exe (PID: 7132)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 3548)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6932)
      • vds.exe (PID: 6140)
      • wbengine.exe (PID: 5664)

    • Uses REG/REGEDIT.EXE to modify registry

      • Datadecrypt.exe (PID: 4544)

    • Creates files like ransomware instruction

      • Datadecrypt.exe (PID: 4544)

    • Start notepad (likely ransomware note)

      • Datadecrypt.exe (PID: 4544)

    • Uses WEVTUTIL.EXE to cleanup log

      • Datadecrypt.exe (PID: 4544)

    • Executing commands from a ".bat" file

      • Datadecrypt.exe (PID: 4544)

    • Sets range of bytes to zero

      • fsutil.exe (PID: 2128)

  • INFO

    • Create files in a temporary directory

      • 1.exe (PID: 6540)
      • DC.exe (PID: 7132)

    • Checks supported languages

      • 1.exe (PID: 6540)
      • 7za.exe (PID: 6592)
      • Datadecrypt.exe (PID: 4544)
      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)
      • Everything.exe (PID: 3116)
      • Datadecrypt.exe (PID: 1132)
      • Datadecrypt.exe (PID: 6256)
      • DC.exe (PID: 7132)
      • Datadecrypt.exe (PID: 1812)
      • DC.exe (PID: 5440)
      • DC.exe (PID: 2360)
      • ShellExperienceHost.exe (PID: 5312)
      • Everything.exe (PID: 6204)

    • Process checks computer location settings

      • 1.exe (PID: 6540)

    • Reads the computer name

      • 1.exe (PID: 6540)
      • 7za.exe (PID: 6592)
      • Datadecrypt.exe (PID: 4544)
      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)
      • DC.exe (PID: 7132)
      • Everything.exe (PID: 3116)
      • Datadecrypt.exe (PID: 1132)
      • Datadecrypt.exe (PID: 1812)
      • DC.exe (PID: 5440)
      • Datadecrypt.exe (PID: 6256)
      • ShellExperienceHost.exe (PID: 5312)
      • DC.exe (PID: 2360)
      • Everything.exe (PID: 6204)

    • Creates files or folders in the user directory

      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)
      • Datadecrypt.exe (PID: 4544)
      • Everything.exe (PID: 3116)
      • Everything.exe (PID: 6204)

    • Reads the machine GUID from the registry

      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 4788)
      • notepad.exe (PID: 4100)

    • Manual execution by a user

      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)

    • Reads mouse settings

      • DC.exe (PID: 7132)
      • DC.exe (PID: 5440)
      • DC.exe (PID: 2360)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2340)
      • powershell.exe (PID: 3548)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(6968) Jami.exe
Decrypted-URLs (1)https://tox.chat/download.html
(PID) Process(6276) ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe
Decrypted-URLs (1)https://t.me/datadecrypt
(PID) Process(4544) Datadecrypt.exe
Decrypted-URLs (1)https://t.me/datadecrypt
(PID) Process(1132) Datadecrypt.exe
Decrypted-URLs (1)https://t.me/datadecrypt
(PID) Process(1812) Datadecrypt.exe
Decrypted-URLs (1)https://t.me/datadecrypt
(PID) Process(6256) Datadecrypt.exe
Decrypted-URLs (1)https://t.me/datadecrypt
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:51+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 101888
InitializedDataSize: 19456
UninitializedDataSize: -
EntryPoint: 0x1942f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
256
Monitored processes
99
Malicious processes
12
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 1.exe 7za.exe no specs conhost.exe no specs enc_default_default_2023-12-27_09-27-40=jami_decryptionguy.exe no specs CMSTPLUA no specs cmd.exe no specs conhost.exe no specs rundll32.exe no specs #XOR-URL enc_default_default_2023-12-27_09-27-40=telegram@datadecrypt.exe conhost.exe no specs CMSTPLUA #XOR-URL datadecrypt.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs #XOR-URL datadecrypt.exe no specs #XOR-URL datadecrypt.exe no specs #XOR-URL datadecrypt.exe no specs dc.exe no specs conhost.exe no specs everything.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dc.exe shellexperiencehost.exe no specs systray.exe no specs dc.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs vssvc.exe no specs bcdedit.exe no specs conhost.exe no specs bcdedit.exe no specs conhost.exe no specs wbadmin.exe wbadmin.exe conhost.exe no specs conhost.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs everything.exe no specs reg.exe no specs conhost.exe no specs notepad.exe no specs wevtutil.exe no specs wevtutil.exe no specs wevtutil.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs fsutil.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
400wbadmin.exe delete catalog -quietC:\Windows\System32\wbadmin.exe
Datadecrypt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® BLB Backup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132"C:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe" -e watch -pid 4544 -! C:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe
Datadecrypt.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\cbb2a8f5-4542-61c5-1793-2d537e10fbcc\datadecrypt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
xor-url
(PID) Process(1132) Datadecrypt.exe
Decrypted-URLs (1)https://t.me/datadecrypt
1140powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0C:\Windows\System32\powercfg.exeDatadecrypt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1164C:\WINDOWS\System32\Systray.exe "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\System32\systray.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systray.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1344\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeDatadecrypt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1488\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeDatadecrypt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1812"C:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe" -e ul1C:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe
Datadecrypt.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\cbb2a8f5-4542-61c5-1793-2d537e10fbcc\datadecrypt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
xor-url
(PID) Process(1812) Datadecrypt.exe
Decrypted-URLs (1)https://t.me/datadecrypt
1948\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewbadmin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
39 692
Read events
39 494
Write events
174
Delete events
24

Modification events

(PID) Process:(6540) 1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6540) 1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6540) 1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6540) 1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6276) ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Datadecrypt
Value:
"C:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe"
(PID) Process:(4788) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4788) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4788) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4788) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4544) Datadecrypt.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS
Operation:writeName:Start
Value:
4
Executable files
14
Suspicious files
12
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
6276ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeC:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\7za.exeexecutable
MD5:B93EB0A48C91A53BDA6A1A074A4B431E
SHA256:AB15A9B27EE2D69A8BC8C8D1F5F40F28CD568F5CBB28D36ED938110203F8D142
65401.exeC:\Users\admin\AppData\Local\Temp\7ZSfx000.cmdtext
MD5:DEA2B1DB895045F8371809504F9B298C
SHA256:2B6BB6DCC42B536DB07611A28B779F564F5C1317427B606195C75947E4D31C15
6276ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeC:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything2.initext
MD5:51014C0C06ACDD80F9AE4469E7D30A9E
SHA256:89AD2164717BD5F5F93FBB4CEBF0EFEB473097408FDDFC7FC7B924D790514DC5
65401.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything64.dllcompressed
MD5:E7CECB49DA4CEFD6F0B306FF09AFDCB4
SHA256:B4C78DCF7C9BFE60C2C61CAB64243FE72A94A2BA002D0C742FADD56B1A92BFDD
65401.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dllexecutable
MD5:3B03324537327811BBBAFF4AAFA4D75B
SHA256:8CAE8A9740D466E17F16481E68DE9CBD58265863C3924D66596048EDFD87E880
6276ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeC:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\gui40.exeexecutable
MD5:57850A4490A6AFD1EF682EB93EA45E65
SHA256:31FEFF32D23728B39ED813C1E7DC5FE6A87DCD4D10AA995446A8C5EB5DA58615
6276ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeC:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.exeexecutable
MD5:C44487CE1827CE26AC4699432D15B42A
SHA256:4C83E46A29106AFBAF5279029D102B489D958781764289B61AB5B618A4307405
6276ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeC:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\DC.exeexecutable
MD5:AC34BA84A5054CD701EFAD5DD14645C9
SHA256:C576F7F55C4C0304B290B15E70A638B037DF15C69577CD6263329C73416E490E
6276ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeC:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\session.tmpbinary
MD5:2714A2C4BB8F77F460B5CDF0FCE75AC0
SHA256:AD2616619FFE2C126F544EB91B7E1C9106A3EC2AD516DB90274AF456F6CDBB82
6276ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeC:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\gui35.exeexecutable
MD5:03A63C096B9757439264B57E4FDF49D1
SHA256:22EA129B0F57184F30B1771C62A3233BA92E581C1F111B4E8ABFA318DC92CC46
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
64
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2456
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
240
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6624
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4056
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2680
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5796
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2680
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2456
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2456
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.136
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.72
  • 40.126.32.133
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
arc.msn.com
  • 20.223.36.55
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted

Threats

No threats detected
Process
Message
wbadmin.exe
Invalid parameter passed to C runtime function.
wbadmin.exe
Invalid parameter passed to C runtime function.