| File name: | _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe |
| Full analysis: | https://app.any.run/tasks/09430967-26fb-485e-b8be-7c7f408e2eb1 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | August 02, 2025, 23:25:19 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections |
| MD5: | 8A248B22091F5EDF810DF43E4D22D27C |
| SHA1: | 667770F1DCD9FA7AD6A1B002DA2D3002FABCFDF4 |
| SHA256: | D0BF26BE475936DC123BD2DD727B0C863544F7E1ADF007A1CF18D09564461C40 |
| SSDEEP: | 6144:DA0Eo5Ax5nrVW078tQuv6mtUuDfJKUSO1vzR78kXloGOZtULOS:DA0J5UrH78tLUuwu1vzR7zlotULOS |
MALICIOUS
Changes the autorun value in the registry
- _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe (PID: 3788)
Renames files like ransomware
- _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe (PID: 3788)
- svcchost.exe (PID: 4032)
- svcchost.exe (PID: 768)
Create files in the Startup directory
- svcchost.exe (PID: 4032)
SUSPICIOUS
Starts CMD.EXE for commands execution
- _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe (PID: 3788)
Reads security settings of Internet Explorer
- _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe (PID: 3788)
- svcchost.exe (PID: 4032)
- svcchost.exe (PID: 768)
Executable content was dropped or overwritten
- cmd.exe (PID: 2716)
The process creates files with name similar to system file names
- cmd.exe (PID: 2716)
Starts itself from another location
- _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe (PID: 3788)
Application launched itself
- updater.exe (PID: 6840)
The process executes via Task Scheduler
- updater.exe (PID: 6840)
INFO
Checks supported languages
- _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe (PID: 3788)
- svcchost.exe (PID: 4032)
- svcchost.exe (PID: 768)
- updater.exe (PID: 4916)
- updater.exe (PID: 6840)
Reads the computer name
- _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe (PID: 3788)
- svcchost.exe (PID: 768)
- svcchost.exe (PID: 4032)
- updater.exe (PID: 6840)
Launching a file from a Registry key
- _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe (PID: 3788)
Process checks computer location settings
- _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe (PID: 3788)
- svcchost.exe (PID: 768)
- svcchost.exe (PID: 4032)
Reads the machine GUID from the registry
- _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe (PID: 3788)
- svcchost.exe (PID: 4032)
- svcchost.exe (PID: 768)
Creates files or folders in the user directory
- svcchost.exe (PID: 4032)
- svcchost.exe (PID: 768)
Launching a file from the Startup directory
- svcchost.exe (PID: 4032)
Manual execution by a user
- svcchost.exe (PID: 768)
Creates files in the program directory
- svcchost.exe (PID: 4032)
- svcchost.exe (PID: 768)
Process checks whether UAC notifications are on
- updater.exe (PID: 6840)
Reads Internet Explorer settings
- mshta.exe (PID: 2140)
- mshta.exe (PID: 6796)
Checks proxy server information
- slui.exe (PID: 3108)
Reads the software policy settings
- slui.exe (PID: 3108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | UPX compressed Win32 Executable (76) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.6) |
| .exe | | | Generic Win/DOS Executable (5.6) |
| .exe | | | DOS Executable Generic (5.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:09:24 21:11:17+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.29 |
| CodeSize: | 200704 |
| InitializedDataSize: | 4096 |
| UninitializedDataSize: | 319488 |
| EntryPoint: | 0x7ef50 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
141
Monitored processes
10
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 768 | "C:\Users\admin\AppData\Roaming\svcchost.exe" | C:\Users\admin\AppData\Roaming\svcchost.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2140 | "C:\Windows\SysWOW64\mshta.exe" "C:\Users\admin\AppData\Roaming\Decrypt.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} | C:\Windows\SysWOW64\mshta.exe | — | svcchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 11.00.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2716 | "C:\Windows\System32\cmd.exe" /c copy "C:\Users\admin\Desktop\_d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe" "%APPDATA%\svcchost.exe" | C:\Windows\SysWOW64\cmd.exe | _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3108 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3788 | "C:\Users\admin\Desktop\_d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe" | C:\Users\admin\Desktop\_d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 4032 | C:\Users\admin\AppData\Roaming\svcchost.exe | C:\Users\admin\AppData\Roaming\svcchost.exe | _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 4916 | "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0xc8,0x2a4,0x111c460,0x111c46c,0x111c478 | C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe | — | updater.exe | |||||||||||
User: SYSTEM Company: Google LLC Integrity Level: SYSTEM Description: Google Updater Exit code: 0 Version: 134.0.6985.0 Modules
| |||||||||||||||
| 6796 | "C:\Windows\SysWOW64\mshta.exe" "C:\Users\admin\AppData\Roaming\Decrypt.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} | C:\Windows\SysWOW64\mshta.exe | — | svcchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 11.00.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6808 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6840 | "C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --system | C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Google LLC Integrity Level: SYSTEM Description: Google Updater Exit code: 0 Version: 134.0.6985.0 Modules
| |||||||||||||||
Total events
5 685
Read events
5 681
Write events
4
Delete events
0
Modification events
| (PID) Process: | (3788) _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | MarvelHost |
Value: "%APPDATA%\svcchost.exe" | |||
| (PID) Process: | (4032) svcchost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\OpenWithProgids |
| Operation: | write | Name: | htafile |
Value: | |||
| (PID) Process: | (768) svcchost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\OpenWithProgids |
| Operation: | write | Name: | htafile |
Value: | |||
Executable files
1
Suspicious files
1 003
Text files
111
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3788 | _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe | C:\Users\admin\Desktop\chapterpop.rtf | binary | |
MD5:904A402744997C01EDF8E15BBB4BF6AB | SHA256:47E72925721A565CFF979986E351D13AE51786098EB2C76F9B8E158C310E017B | |||
| 3788 | _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe | C:\Users\admin\Desktop\archivesecure.jpg.[corbenofheat@cyberfear.com].decrypt | binary | |
MD5:1B1B0F296323FDA4159765D5458F2F76 | SHA256:5476B5057E623E7681692E1C4C61105B5A97629B22DEF54F50AFD569F250C9F1 | |||
| 3788 | _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe | C:\Users\admin\Desktop\chapterpop.rtf.[corbenofheat@cyberfear.com].decrypt | binary | |
MD5:904A402744997C01EDF8E15BBB4BF6AB | SHA256:47E72925721A565CFF979986E351D13AE51786098EB2C76F9B8E158C310E017B | |||
| 3788 | _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe | C:\Users\admin\Desktop\followingweather.png.[corbenofheat@cyberfear.com].decrypt | binary | |
MD5:5A25B2E2044C3549600E973CE22A89DF | SHA256:3EF40DA5CC261594D430AF7D3AC2797695940D0D486662FE527E58079EFF5991 | |||
| 3788 | _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe | C:\Users\admin\Desktop\followingweather.png | binary | |
MD5:5A25B2E2044C3549600E973CE22A89DF | SHA256:3EF40DA5CC261594D430AF7D3AC2797695940D0D486662FE527E58079EFF5991 | |||
| 3788 | _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe | C:\Users\admin\Desktop\ReadMe_Decryptor.txt | text | |
MD5:AD4B709BE0D030588F77BD4569F3155B | SHA256:24B946F1D2E8A7167F9418928D6DAA92A363ADDDAFBA88C7DF37EE52373A461D | |||
| 3788 | _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe | C:\Users\admin\Desktop\internalend.png.[corbenofheat@cyberfear.com].decrypt | binary | |
MD5:632CA4F783615ACD44851027F86AB351 | SHA256:10A8D38DADA1461FFBA00B8C26C10ACA11E7F72B9A0B84ECFED1D218D24B0541 | |||
| 3788 | _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe | C:\Users\admin\Desktop\archivesecure.jpg | binary | |
MD5:1B1B0F296323FDA4159765D5458F2F76 | SHA256:5476B5057E623E7681692E1C4C61105B5A97629B22DEF54F50AFD569F250C9F1 | |||
| 3788 | _d0bf26be475936dc123bd2dd727b0c863544f7e1adf007a1cf18d09564461c40.exe | C:\Users\admin\Desktop\mindplayers.rtf.[corbenofheat@cyberfear.com].decrypt | binary | |
MD5:B66AA67A88EFE069D286F95AD7E975BF | SHA256:A13042BDA0E7C078350834BCD9DF6216C38CE168870DAF6B10F4D4EB8F1E75BC | |||
| 2716 | cmd.exe | C:\Users\admin\AppData\Roaming\svcchost.exe | executable | |
MD5:8A248B22091F5EDF810DF43E4D22D27C | SHA256:D0BF26BE475936DC123BD2DD727B0C863544F7E1ADF007A1CF18D09564461C40 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
7
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | DE | binary | 825 b | whitelisted |
1268 | svchost.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | DE | binary | 825 b | whitelisted |
1268 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | DE | binary | 814 b | whitelisted |
4944 | RUXIMICS.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | DE | binary | 825 b | whitelisted |
4944 | RUXIMICS.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | DE | binary | 814 b | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | DE | binary | 814 b | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | xml | 512 b | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1268 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5944 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4944 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4944 | RUXIMICS.exe | 23.216.77.6:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |