File name:

PO_UB74894983.cmd

Full analysis: https://app.any.run/tasks/9f390fc1-0f09-4dab-8528-60786b2d7318
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: February 12, 2025, 20:19:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
snake
keylogger
stealer
netreactor
Indicators:
MIME: application/vnd.ms-cab-compressed
File info: Microsoft Cabinet archive data, Windows 2000/XP setup, 4294967295 bytes, 1 file, at 0x75 last modified Sun, Aug 01 1980 00:00:00 +A "x.exe", number 1, 51 datablocks, 0 compression
MD5:

2B0EB1CE12AB33ADD03BCD0C4EB5BBEF

SHA1:

61ED0F458DECC2FC2DCA488829068B941D6EC380

SHA256:

B90740CA2BF06AB6D1FD39F40EBB565E569DBF2A9E47C59D6EA00716E46BF5F1

SSDEEP:

49152:X4HmQnYvfIaBUMdeJscdLGj/H2orXSOjXoVSqKbA/J1Xc1yUbir4FXBr:S9Y3BhMxdKj/HDrz5SvrG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 3144)
      • alpha.pif (PID: 2484)

    • Starts PowerShell from an unusual location

      • alpha.pif (PID: 2484)

    • Changes the autorun value in the registry

      • x.exe (PID: 6888)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • suftyefX.pif (PID: 6280)

    • Steals credentials from Web Browsers

      • suftyefX.pif (PID: 6280)

    • Actions looks like stealing of personal data

      • suftyefX.pif (PID: 6280)

  • SUSPICIOUS

    • Executing commands from ".cmd" file

      • x.exe (PID: 6888)
      • svchost.pif (PID: 5032)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 7136)
      • cmd.exe (PID: 7068)
      • extrac32.exe (PID: 3560)
      • ndpha.pif (PID: 776)
      • cmd.exe (PID: 3144)
      • extrac32.exe (PID: 624)
      • extrac32.exe (PID: 3620)
      • alpha.pif (PID: 2484)
      • aken.pif (PID: 5040)
      • suftyefX.pif (PID: 6280)

    • Process drops legitimate windows executable

      • x.exe (PID: 6888)
      • extrac32.exe (PID: 3560)
      • extrac32.exe (PID: 624)
      • extrac32.exe (PID: 3620)

    • Reads security settings of Internet Explorer

      • x.exe (PID: 6888)
      • ndpha.pif (PID: 776)
      • aken.pif (PID: 5040)

    • Drops a file with a rarely used extension (PIF)

      • extrac32.exe (PID: 3560)
      • x.exe (PID: 6888)
      • extrac32.exe (PID: 624)
      • extrac32.exe (PID: 3620)

    • Executable content was dropped or overwritten

      • x.exe (PID: 6888)
      • extrac32.exe (PID: 3560)
      • extrac32.exe (PID: 624)
      • extrac32.exe (PID: 3620)

    • Starts CMD.EXE for commands execution

      • x.exe (PID: 6888)
      • svchost.pif (PID: 5032)

    • Starts a Microsoft application from unusual location

      • ndpha.pif (PID: 776)
      • alpha.pif (PID: 2484)
      • aken.pif (PID: 5040)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7136)
      • ndpha.pif (PID: 776)
      • cmd.exe (PID: 3144)
      • alpha.pif (PID: 2484)
      • x.exe (PID: 6888)

    • Starts itself from another location

      • cmd.exe (PID: 3144)

    • Checks Windows Trust Settings

      • aken.pif (PID: 5040)

    • Checks for external IP

      • suftyefX.pif (PID: 6280)
      • svchost.exe (PID: 2192)

    • The process verifies whether the antivirus software is installed

      • suftyefX.pif (PID: 6280)

  • INFO

    • Checks supported languages

      • x.exe (PID: 6888)
      • extrac32.exe (PID: 3560)
      • ndpha.pif (PID: 776)
      • svchost.pif (PID: 5032)
      • extrac32.exe (PID: 624)
      • extrac32.exe (PID: 3620)
      • alpha.pif (PID: 2484)
      • aken.pif (PID: 5040)
      • suftyefX.pif (PID: 6280)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2512)

    • Reads the computer name

      • x.exe (PID: 6888)
      • extrac32.exe (PID: 3560)
      • ndpha.pif (PID: 776)
      • extrac32.exe (PID: 624)
      • extrac32.exe (PID: 3620)
      • suftyefX.pif (PID: 6280)
      • aken.pif (PID: 5040)

    • Manual execution by a user

      • x.exe (PID: 6888)

    • Checks proxy server information

      • x.exe (PID: 6888)
      • suftyefX.pif (PID: 6280)

    • The sample compiled with english language support

      • x.exe (PID: 6888)
      • extrac32.exe (PID: 624)
      • extrac32.exe (PID: 3560)
      • extrac32.exe (PID: 3620)

    • Process checks computer location settings

      • ndpha.pif (PID: 776)

    • Reads the software policy settings

      • aken.pif (PID: 5040)
      • suftyefX.pif (PID: 6280)

    • Create files in a temporary directory

      • aken.pif (PID: 5040)

    • Reads Environment values

      • aken.pif (PID: 5040)

    • Script raised an exception (POWERSHELL)

      • aken.pif (PID: 5040)

    • Reads the machine GUID from the registry

      • x.exe (PID: 6888)
      • suftyefX.pif (PID: 6280)
      • aken.pif (PID: 5040)

    • Disables trace logs

      • suftyefX.pif (PID: 6280)

    • Process checks Powershell version

      • aken.pif (PID: 5040)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • aken.pif (PID: 5040)

    • .NET Reactor protector has been detected

      • suftyefX.pif (PID: 6280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.cab | Microsoft Cabinet Archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
18
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe x.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs extrac32.exe ndpha.pif no specs svchost.pif no specs svchost.pif cmd.exe no specs conhost.exe no specs extrac32.exe extrac32.exe alpha.pif no specs aken.pif no specs #SNAKEKEYLOGGER suftyefx.pif svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
624extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.pif C:\Windows\System32\extrac32.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
776C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif C:\Users\Public\ndpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\ndpha.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2484C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'" C:\Users\Public\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2512"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\PO_UB74894983.cmd.cabC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3144C:\WINDOWS\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmdC:\Windows\System32\cmd.exesvchost.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
3288\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3560extrac32 /C /Y C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\ndpha.pif C:\Windows\SysWOW64\extrac32.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3620extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\aken.pifC:\Windows\System32\extrac32.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
4540"C:\Windows \SysWOW64\svchost.pif" C:\Windows \SysWOW64\svchost.pifndpha.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Exchange ActiveSync Invoker
Exit code:
3221226540
Version:
10.0.22621.1 (WinBuild.160101.0800)
Modules
Images
c:\windows \syswow64\svchost.pif
c:\windows\system32\ntdll.dll
Total events
9 028
Read events
8 978
Write events
37
Delete events
13

Modification events

(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\PO_UB74894983.cmd.cab
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(2512) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
7
Suspicious files
3
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6888x.exeC:\Users\Public\Libraries\NEO.cmdtext
MD5:1E4515AF5998714486F54B77495DE7CC
SHA256:587BBD4F462D7F4432AB348453CBDAD5A5EC36495677189D76862C881C344B7B
624extrac32.exeC:\Users\Public\alpha.pifexecutable
MD5:CB6CD09F6A25744A8FA6E4B3E4D260C5
SHA256:265B69033CEA7A9F8214A34CD9B17912909AF46C7A47395DD7BB893A24507E59
6888x.exeC:\Users\Public\Libraries\Xfeytfus50.cmdtext
MD5:D0434717B2D379C7F5A40AEF52058907
SHA256:778D225C3BC8FA8148E4CE6F92DB8FFA818390D425C250B18CE1BC067E3FFA02
6888x.exeC:\Windows \SysWOW64\svchost.pifexecutable
MD5:869640D0A3F838694AB4DFEA9E2F544D
SHA256:0DB4D3FFDB96D13CF3B427AF8BE66D985728C55AE254E4B67D287797E4C0B323
5040aken.pifC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rlgmqdpm.n2r.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2512WinRAR.exeC:\Users\admin\Desktop\x.exeexecutable
MD5:DBD0A1DF20A636C186E2DD360649FC50
SHA256:BC4403C05D9ACECB8DD36F6ED0978168D06385C155DD7AB84831BBE42EC26466
3620extrac32.exeC:\Users\Public\aken.pifexecutable
MD5:2E5A8590CF6848968FC23DE3FA1E25F1
SHA256:9785001B0DCF755EDDB8AF294A373C0B87B2498660F724E76C4D53F9C217C7A3
3560extrac32.exeC:\Users\Public\ndpha.pifexecutable
MD5:D3C24BF05054932915AAE233E3463C3E
SHA256:155A5BCE6AC3B10AC6D4FE768F0520A029A0A3FD341B747ADE8F77066F81B956
6888x.exeC:\Users\Public\XfeytfusF.cmdtext
MD5:616F542F94791979D27798E12FE9374B
SHA256:D3C9DDAA8DEBFA28BFDFF1DFC8C5BA4E11E39C7D9029EAD83C874FCFC8325DDB
6888x.exeC:\Windows \SysWOW64\NETUTILS.dllexecutable
MD5:E10813C202A7BBF848554341A5AB14E8
SHA256:9ED90220A8BA238563D811B596EF82663D0B5A984619DE3D56238264176D35C9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
32
DNS requests
19
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.207.210.91:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6928
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6928
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6576
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6280
suftyefX.pif
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
6280
suftyefX.pif
GET
200
132.226.8.169:80
http://checkip.dyndns.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
23.207.210.91:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1460
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
2.21.65.154:443
www.bing.com
Akamai International B.V.
NL
whitelisted
1176
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.207.210.91
  • 23.207.210.92
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 2.23.246.101
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.bing.com
  • 2.21.65.154
  • 2.21.65.132
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.17
  • 20.190.160.14
  • 20.190.160.67
  • 40.126.32.134
  • 20.190.160.66
  • 20.190.160.131
  • 20.190.160.64
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
go.microsoft.com
  • 2.19.106.8
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
6280
suftyefX.pif
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
6280
suftyefX.pif
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2192
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
6280
suftyefX.pif
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
2192
svchost.exe
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
6280
suftyefX.pif
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PO_UB74894983.cmd