File name:

1.exe

Full analysis: https://app.any.run/tasks/bc972e51-f1ed-4dbc-a253-3712af9e6cf9
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: August 19, 2024, 04:46:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
mimic
ransomware
xor-url
generic
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8E8198A591C3F22926AECB7090E2896C

SHA1:

709A31F07E1111FDFD6DE846F9718AC4804BC244

SHA256:

B44820E3E40E9E23FB3FCC125B880BEBC5DE4A8022069E5802B34FC75F664262

SSDEEP:

98304:ZDQPXs2E6S1RNJ31LawGx8lh6fPEXPYKzUyvtHLjAJ7MY2E8Oiiwf7jNONOnnCW3:Qh4+tHI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)
      • Datadecrypt.exe (PID: 4544)

    • Known privilege escalation attack

      • dllhost.exe (PID: 4788)

    • Changes image file execution options

      • Datadecrypt.exe (PID: 4544)

    • Disables the Shutdown in the Start menu

      • Datadecrypt.exe (PID: 4544)

    • Changes powershell execution policy (Bypass)

      • Datadecrypt.exe (PID: 4544)

    • UAC/LUA settings modification

      • Datadecrypt.exe (PID: 4544)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3548)
      • powershell.exe (PID: 2340)
      • powershell.exe (PID: 5916)

    • Disables Windows Defender

      • DC.exe (PID: 7132)
      • DC.exe (PID: 5440)
      • DC.exe (PID: 2360)

    • XORed URL has been found (YARA)

      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)
      • Datadecrypt.exe (PID: 4544)
      • Datadecrypt.exe (PID: 1132)
      • Datadecrypt.exe (PID: 1812)
      • Datadecrypt.exe (PID: 6256)

    • MIMIC has been detected (YARA)

      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)
      • Datadecrypt.exe (PID: 4544)
      • Datadecrypt.exe (PID: 1132)
      • Datadecrypt.exe (PID: 1812)
      • Datadecrypt.exe (PID: 6256)

    • Creates or modifies Windows services

      • DC.exe (PID: 2360)

    • Deletes shadow copies

      • Datadecrypt.exe (PID: 4544)

    • Starts CMD.EXE for self-deleting

      • Datadecrypt.exe (PID: 4544)

    • Using BCDEDIT.EXE to modify recovery options

      • Datadecrypt.exe (PID: 4544)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • 1.exe (PID: 6540)
      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)

    • Reads security settings of Internet Explorer

      • 1.exe (PID: 6540)
      • ShellExperienceHost.exe (PID: 5312)

    • Executable content was dropped or overwritten

      • 1.exe (PID: 6540)
      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)

    • Drops 7-zip archiver for unpacking

      • 1.exe (PID: 6540)
      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)

    • Starts CMD.EXE for commands execution

      • Datadecrypt.exe (PID: 4544)
      • 1.exe (PID: 6540)

    • Creates file in the systems drive root

      • Datadecrypt.exe (PID: 4544)

    • Application launched itself

      • Datadecrypt.exe (PID: 4544)
      • DC.exe (PID: 7132)
      • DC.exe (PID: 5440)

    • The executable file from the user directory is run by the CMD process

      • DC.exe (PID: 7132)

    • Uses powercfg.exe to modify the power settings

      • Datadecrypt.exe (PID: 4544)

    • Creates or modifies Windows services

      • Datadecrypt.exe (PID: 4544)

    • Starts POWERSHELL.EXE for commands execution

      • Datadecrypt.exe (PID: 4544)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 3548)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6932)
      • vds.exe (PID: 6140)
      • wbengine.exe (PID: 5664)

    • Reads the date of Windows installation

      • 1.exe (PID: 6540)

    • Executing commands from ".cmd" file

      • 1.exe (PID: 6540)

    • Uses REG/REGEDIT.EXE to modify registry

      • Datadecrypt.exe (PID: 4544)

    • Start notepad (likely ransomware note)

      • Datadecrypt.exe (PID: 4544)

    • Creates files like ransomware instruction

      • Datadecrypt.exe (PID: 4544)

    • Executing commands from a ".bat" file

      • Datadecrypt.exe (PID: 4544)

    • Uses WEVTUTIL.EXE to cleanup log

      • Datadecrypt.exe (PID: 4544)

    • Sets range of bytes to zero

      • fsutil.exe (PID: 2128)

  • INFO

    • Reads the computer name

      • 1.exe (PID: 6540)
      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)
      • 7za.exe (PID: 6592)
      • Datadecrypt.exe (PID: 4544)
      • Everything.exe (PID: 3116)
      • DC.exe (PID: 7132)
      • Datadecrypt.exe (PID: 1132)
      • Datadecrypt.exe (PID: 1812)
      • Datadecrypt.exe (PID: 6256)
      • ShellExperienceHost.exe (PID: 5312)
      • DC.exe (PID: 5440)
      • DC.exe (PID: 2360)
      • Everything.exe (PID: 6204)

    • Create files in a temporary directory

      • 1.exe (PID: 6540)
      • DC.exe (PID: 7132)

    • Checks supported languages

      • 1.exe (PID: 6540)
      • 7za.exe (PID: 6592)
      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)
      • Datadecrypt.exe (PID: 4544)
      • Datadecrypt.exe (PID: 1812)
      • Datadecrypt.exe (PID: 1132)
      • Datadecrypt.exe (PID: 6256)
      • DC.exe (PID: 7132)
      • Everything.exe (PID: 3116)
      • DC.exe (PID: 5440)
      • ShellExperienceHost.exe (PID: 5312)
      • DC.exe (PID: 2360)
      • Everything.exe (PID: 6204)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 4788)
      • notepad.exe (PID: 4100)

    • Reads the machine GUID from the registry

      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)

    • Reads mouse settings

      • DC.exe (PID: 7132)
      • DC.exe (PID: 5440)
      • DC.exe (PID: 2360)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2340)
      • powershell.exe (PID: 3548)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5916)

    • Creates files or folders in the user directory

      • Datadecrypt.exe (PID: 4544)
      • Everything.exe (PID: 3116)
      • Everything.exe (PID: 6204)
      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)

    • Process checks computer location settings

      • 1.exe (PID: 6540)

    • Manual execution by a user

      • ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe (PID: 6276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(6968) Jami.exe
Decrypted-URLs (1)https://tox.chat/download.html
(PID) Process(6276) ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exe
Decrypted-URLs (1)https://t.me/datadecrypt
(PID) Process(4544) Datadecrypt.exe
Decrypted-URLs (1)https://t.me/datadecrypt
(PID) Process(1132) Datadecrypt.exe
Decrypted-URLs (1)https://t.me/datadecrypt
(PID) Process(1812) Datadecrypt.exe
Decrypted-URLs (1)https://t.me/datadecrypt
(PID) Process(6256) Datadecrypt.exe
Decrypted-URLs (1)https://t.me/datadecrypt
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:51+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 101888
InitializedDataSize: 19456
UninitializedDataSize: -
EntryPoint: 0x1942f
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
256
Monitored processes
99
Malicious processes
12
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 1.exe 7za.exe no specs conhost.exe no specs enc_default_default_2023-12-27_09-27-40=jami_decryptionguy.exe no specs CMSTPLUA no specs cmd.exe no specs conhost.exe no specs rundll32.exe no specs #XOR-URL enc_default_default_2023-12-27_09-27-40=telegram@datadecrypt.exe conhost.exe no specs CMSTPLUA #XOR-URL datadecrypt.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs #XOR-URL datadecrypt.exe no specs #XOR-URL datadecrypt.exe no specs #XOR-URL datadecrypt.exe no specs dc.exe no specs conhost.exe no specs everything.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dc.exe shellexperiencehost.exe no specs systray.exe no specs dc.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs systray.exe no specs vssvc.exe no specs bcdedit.exe no specs conhost.exe no specs bcdedit.exe no specs conhost.exe no specs wbadmin.exe wbadmin.exe conhost.exe no specs conhost.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs everything.exe no specs reg.exe no specs conhost.exe no specs notepad.exe no specs wevtutil.exe no specs wevtutil.exe no specs wevtutil.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs fsutil.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
400wbadmin.exe delete catalog -quietC:\Windows\System32\wbadmin.exe
Datadecrypt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® BLB Backup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132"C:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe" -e watch -pid 4544 -! C:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe
Datadecrypt.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\cbb2a8f5-4542-61c5-1793-2d537e10fbcc\datadecrypt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
xor-url
(PID) Process(1132) Datadecrypt.exe
Decrypted-URLs (1)https://t.me/datadecrypt
1140powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0C:\Windows\System32\powercfg.exeDatadecrypt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1164C:\WINDOWS\System32\Systray.exe "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\System32\systray.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Systray .exe stub
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\systray.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1344\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeDatadecrypt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1488\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeDatadecrypt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1812"C:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe" -e ul1C:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe
Datadecrypt.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\cbb2a8f5-4542-61c5-1793-2d537e10fbcc\datadecrypt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
xor-url
(PID) Process(1812) Datadecrypt.exe
Decrypted-URLs (1)https://t.me/datadecrypt
1948\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewbadmin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
39 692
Read events
39 494
Write events
174
Delete events
24

Modification events

(PID) Process:(6540) 1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6540) 1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6540) 1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6540) 1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6276) ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Datadecrypt
Value:
"C:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exe"
(PID) Process:(4788) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4788) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4788) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4788) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4544) Datadecrypt.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS
Operation:writeName:Start
Value:
4
Executable files
14
Suspicious files
12
Text files
27
Unknown types
0

Dropped files

PID
Process
Filename
Type
6276ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeC:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\DC.exeexecutable
MD5:AC34BA84A5054CD701EFAD5DD14645C9
SHA256:C576F7F55C4C0304B290B15E70A638B037DF15C69577CD6263329C73416E490E
65401.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\7za.exeexecutable
MD5:B93EB0A48C91A53BDA6A1A074A4B431E
SHA256:AB15A9B27EE2D69A8BC8C8D1F5F40F28CD568F5CBB28D36ED938110203F8D142
65401.exeC:\Users\admin\AppData\Local\Temp\7ZSfx000.cmdtext
MD5:DEA2B1DB895045F8371809504F9B298C
SHA256:2B6BB6DCC42B536DB07611A28B779F564F5C1317427B606195C75947E4D31C15
65401.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything.exeexecutable
MD5:C44487CE1827CE26AC4699432D15B42A
SHA256:4C83E46A29106AFBAF5279029D102B489D958781764289B61AB5B618A4307405
6276ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeC:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything2.initext
MD5:51014C0C06ACDD80F9AE4469E7D30A9E
SHA256:89AD2164717BD5F5F93FBB4CEBF0EFEB473097408FDDFC7FC7B924D790514DC5
6276ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeC:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\7za.exeexecutable
MD5:B93EB0A48C91A53BDA6A1A074A4B431E
SHA256:AB15A9B27EE2D69A8BC8C8D1F5F40F28CD568F5CBB28D36ED938110203F8D142
6276ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeC:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.initext
MD5:742C2400F2DE964D0CCE4A8DABADD708
SHA256:2FEFB69E4B2310BE5E09D329E8CF1BEBD1F9E18884C8C2A38AF8D7EA46BD5E01
6276ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeC:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Datadecrypt.exeexecutable
MD5:0BF7C0D8E3E02A6B879EFAB5DEAB013C
SHA256:B600E06F14E29B03F0B1456723A430B5024816518D704A831DDE2DC9597CE9C9
6276ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeC:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\xdel.exeexecutable
MD5:803DF907D936E08FBBD06020C411BE93
SHA256:E8EAA39E2ADFD49AB69D7BB8504CCB82A902C8B48FBC256472F36F41775E594C
6276ENC_default_default_2023-12-27_09-27-40=Telegram@datadecrypt.exeC:\Users\admin\AppData\Local\CBB2A8F5-4542-61C5-1793-2D537E10FBCC\Everything.exeexecutable
MD5:C44487CE1827CE26AC4699432D15B42A
SHA256:4C83E46A29106AFBAF5279029D102B489D958781764289B61AB5B618A4307405
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
64
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2456
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
240
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6624
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4056
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2680
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5796
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2680
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2456
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2456
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.136
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.72
  • 40.126.32.133
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
arc.msn.com
  • 20.223.36.55
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted

Threats

No threats detected
Process
Message
wbadmin.exe
Invalid parameter passed to C runtime function.
wbadmin.exe
Invalid parameter passed to C runtime function.