File name:

bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9

Full analysis: https://app.any.run/tasks/e843e1b4-0274-45e8-a2e9-020fc7fbf62b
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 13, 2024, 22:18:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ransomware
sodinokibi
revil
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

61C19E7CE627DA9B5004371F867A47D3

SHA1:

4F3B4329871EC269043068A98E9CC929F603268D

SHA256:

BF7114F025FFF7DBC6B7AFF8E4EDB0DD8A7B53C3766429A3C5F10142609968F9

SSDEEP:

6144:PQRE7qWNcvOrKgMdv1LWucWFc83Y6uoZzFyKAuGnlOOkl8tuGogZ98dzc:Pc8c2rKXLtcWFcqY6uoZzFyfONlwP2c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Sodinokibi keys are found

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • RANSOMWARE has been detected

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • SODINOKIBI has been detected (YARA)

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 5604)
      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • Sodinokibi ransom note is found

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • Renames files like ransomware

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • Actions looks like stealing of personal data

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

  • SUSPICIOUS

    • Application launched itself

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 5604)

    • Reads security settings of Internet Explorer

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 5604)
      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • Executes application which crashes

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 5604)

    • Starts CMD.EXE for commands execution

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • Likely accesses (executes) a file from the Public directory

      • notepad.exe (PID: 7032)

  • INFO

    • Checks supported languages

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 5604)
      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • Reads the computer name

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 5604)
      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • Process checks computer location settings

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 5604)
      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • The process uses the downloaded file

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • Checks proxy server information

      • WerFault.exe (PID: 6432)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6432)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • Reads the software policy settings

      • WerFault.exe (PID: 6432)
      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • Creates files in the program directory

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • Reads security settings of Internet Explorer

      • OpenWith.exe (PID: 6968)
      • notepad.exe (PID: 7132)
      • notepad.exe (PID: 7032)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 6968)

    • Reads the machine GUID from the registry

      • bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe (PID: 6224)

    • Manual execution by a user

      • notepad.exe (PID: 7032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:11:15 14:43:36+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 12
CodeSize: 233472
InitializedDataSize: 28672
UninitializedDataSize: 294912
EntryPoint: 0x5ed0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SODINOKIBI bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe THREAT bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe werfault.exe cmd.exe no specs conhost.exe no specs openwith.exe no specs notepad.exe no specs notepad.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5604"C:\Users\admin\AppData\Local\Temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe" C:\Users\admin\AppData\Local\Temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225501
Modules
Images
c:\users\admin\appdata\local\temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6224"C:\Users\admin\AppData\Local\Temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe" C:\Users\admin\AppData\Local\Temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6432C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5604 -s 648C:\Windows\SysWOW64\WerFault.exe
bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6700"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\SysWOW64\cmd.exebf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6708\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6968C:\WINDOWS\system32\OpenWith.exe -EmbeddingC:\Windows\System32\OpenWith.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7032"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\8756lg-readme.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7132"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\weightoh.png.8756lgC:\Windows\System32\notepad.exeOpenWith.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
12 203
Read events
12 196
Write events
7
Delete events
0

Modification events

(PID) Process:(6224) bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\recfg
Operation:writeName:sub_key
Value:
D60DFF40440F390ED2DDF04B674C2FBBF07D35FA4B2EF7FC981CA8377A2BF44D
(PID) Process:(6224) bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\recfg
Operation:writeName:pk_key
Value:
6650BE13C4E3BF1D0F6EED95EEE16672824758825B64F30A42CFB3F41E5C7771
(PID) Process:(6224) bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\recfg
Operation:writeName:sk_key
Value:
78D6ADF2DF12C75206ECB5FB06E9D20369759659BD85A083815D009D7AB0F270E25D64FACED298448A163E201A2E6B94CA19D5C9D708089C7A47FE0A3B3B6B5353E6DC7C36A86845F875B9887709A5BCB10C2792AC606AB5
(PID) Process:(6224) bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\recfg
Operation:writeName:0_key
Value:
862940035CF5E56D73A41591A68F8FE4F4403DBE1F2D12BB582A6146503C177ED866272437B720E624B4BA520D90FE90A2AEADD19A0B247F9A015A6AC39B6B8DB3D7462DBE8964995DD417AE7B83F8C0882ED4B5A9CF27DB
(PID) Process:(6224) bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\recfg
Operation:writeName:rnd_ext
Value:
.8756lg
(PID) Process:(6224) bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\recfg
Operation:writeName:stat
Value:
F5791CB3FD7302AEE90B46705A1F9807CEF968C2287DCC85092D0C80E82A6EB67D7B151F3FDD6FD3BDD862314E97E9E10E4D3096DF65DECED146151F217A0B8529F020143DDD76E22E8D4475CDEAAB57030D76AF45C4CCBF18A51B91E7FC17D298206B620ABA7461FC453C4BE41559EC4DB375A3DCFA8150BB2CA563C736F14B262F613CACA26A4B8BB9FAC01851DE15151FB570730C85CE6A414AC0FF5E5B6E0CDFF767230CF846167E90C8BA0C2557003FF44C4D2E6441C07FAB3CD61A42B6F9EE0ED951F8874BE111D6854359AD40836BEF9917B7DDD64045B95A53B600FA7E1F120844214C8231A2F9F3BF5E554640D813CF8A9C891F82537DD13CB32588E459F39DD184916CFBA07D853F34C0D66F899305898DAE415DC9DAAABF6819E31AD72C9C3D88477EDF4252F42CBF7B7FF5EF39F2BD5D4A65AB5A6FF8F33A3DA8596F1381AD1EFA6ADF6A1531D40C88A2DB9FDD4B16348A24BF388AF87AF90655D69502ED2DBBFA84CBD3F32BE6A71F7F81B55BE9C560341A4FFAA38793D6ECDD55CD67D4877A011D33535D78D08E97EBD0162A7A976C7112B77525F2D10A6EE04080A6E78F7AF0A62A9A398656C1858DCC040A11AAA5EEC72D2ABD9E9D38AC80C473F0366DD6A700B28152A0A513FEA31DB9F22215050FA63FDF070AC5C6A619EAFB5ACDB961773569989B153420EDD8D26FF51C84F524697582855466E8606621C03CFB6C517F50E6A8F7EC7DAAAED1701D41C0E11E3F0FB4C29889433185E0303FEBBB0DCBE50E22CBF8FC2E6391081C9C610C4A2311D4910A39E11A1FB8514F43B28C47E02B9B652DD1CED213B10E94FA1AC6EB949EDD8D90470BC8828C95E840728333631CBB20B1104EE6D6F3A46715A802F99963236E526C8D2D2160B4EC2046BD86257CCC1C2F9708D48A88A6F6BD8E5459A15E671469989C56845B386C343789F2D78D7995A15F90A51C78702664A9CA1727D1B613CD22649348C223FA8AFA110ECB266D5594EE8AE21082B3C07BF085E3D623BA2319A1705632A34E7830E8879B3F573E05F189FCFE5296BF0CDCA73E2833923C3FEC641C3668185D7642939ED4FF1D5F1DE53DF5718328C9C59325A917D13030BFC78EFAF1C89BE7DBB585190F3D31691879ECE5C86B1BBA3705EFC2C6B1805649DB2BBDD12E1C339568A15B3904F8DE55FFE820E29BF4E1F9793F0F89CAD74A95EE7EBD60164702346A97425F06477CDC8D34452DA419212017267F
(PID) Process:(6224) bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
0
Suspicious files
232
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6432WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_bf7114f025fff7db_3c56c677f382e5e410b3731366d7468b48bf0_7567e223_841e80f1-52b9-4887-b0cf-b6143c855471\Report.wer
MD5:
SHA256:
6432WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER5A79.tmp.xmlxml
MD5:2FD912EB61201FDDFA844A4A87FAD2B2
SHA256:4744C721CDEAF0BAC6573A905805FA29F18C57C65D6CB6C5747741AAC88F8F93
6432WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER58A3.tmp.dmpbinary
MD5:EC8C6470FC454C4670A589D5693ED3D2
SHA256:0CB5437D48AB5DEC9EA394B34A15AE1B1927EF8F3D6CA2877425BF50394D850C
6224bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exeC:\BOOTNXTbinary
MD5:0EA28A7582B225658BC0F314E3E18623
SHA256:C5C02FAFCCEDDB41520D2C3540DEDF8CF22A44945518E4E187C5BABFCD6D79DC
6224bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exeC:\$WinREAgent\Backup\8756lg-readme.txtbinary
MD5:E004BD48D896B00A28297A1F7F5DA201
SHA256:656A3CE2469A3D833ED50DD50BBBF966D6EB50ECDF2300BA08645BAECB76A191
6224bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exeC:\8756lg-readme.txtbinary
MD5:E004BD48D896B00A28297A1F7F5DA201
SHA256:656A3CE2469A3D833ED50DD50BBBF966D6EB50ECDF2300BA08645BAECB76A191
6224bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exeC:\$WinREAgent\8756lg-readme.txtbinary
MD5:E004BD48D896B00A28297A1F7F5DA201
SHA256:656A3CE2469A3D833ED50DD50BBBF966D6EB50ECDF2300BA08645BAECB76A191
6224bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exeC:\found.000\8756lg-readme.txtbinary
MD5:E004BD48D896B00A28297A1F7F5DA201
SHA256:656A3CE2469A3D833ED50DD50BBBF966D6EB50ECDF2300BA08645BAECB76A191
6224bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exeC:\bootTel.datbinary
MD5:B9943374B70611AACF740A96B75124D1
SHA256:E8E3A976403A4323ED6AE3C50AAFDBF4019E731F304F4756911A319604A321A2
6224bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9.exeC:\bootTel.dat.8756lgbinary
MD5:B9943374B70611AACF740A96B75124D1
SHA256:E8E3A976403A4323ED6AE3C50AAFDBF4019E731F304F4756911A319604A321A2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
129
DNS requests
160
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.32.238.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6432
WerFault.exe
GET
200
23.32.238.153:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6432
WerFault.exe
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1572
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
1572
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
4556
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4556
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1752
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.32.238.153:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.215.121.133:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.19.80.8:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.74.206
whitelisted
crl.microsoft.com
  • 23.32.238.153
  • 23.32.238.155
  • 23.32.238.97
  • 23.32.238.107
  • 2.19.198.43
  • 23.32.238.115
whitelisted
www.microsoft.com
  • 23.215.121.133
  • 88.221.169.152
whitelisted
www.bing.com
  • 2.19.80.8
  • 2.19.80.99
  • 2.19.80.104
  • 2.19.80.81
  • 2.19.80.123
  • 2.19.80.88
  • 2.19.80.82
  • 2.19.80.91
  • 2.19.80.17
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.140
  • 40.126.32.68
  • 40.126.32.72
  • 40.126.32.138
  • 40.126.32.136
  • 20.190.160.14
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
watson.events.data.microsoft.com
  • 104.208.16.94
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9