File name:

Happy.exe

Full analysis: https://app.any.run/tasks/554086ca-e64c-4b6e-bbeb-acc91321832d
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 01:11:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
ransomware
avaddon
xor-url
generic
delphi
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

D17150AF2CAEEC5DA4029822D740137A

SHA1:

3D08D5101D6D0DAF021BE544B77FBC3A29D6A86C

SHA256:

DCCC689C986E357D5DBDC987E72E6B8A0E9017CBF347449B27C84B8B7B9D507A

SSDEEP:

49152:8yv4WNDPywAwG4sKeoybbcaYNZoEDy8Cg6Fn0AhMP++ua44Xd:WWNtFV0zcakRDy8Ctnqu/C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Happy.exe (PID: 984)
      • Happy.exe (PID: 6004)
      • Happy.exe (PID: 1984)
      • Happy.exe (PID: 1052)

    • Known privilege escalation attack

      • dllhost.exe (PID: 3964)

    • UAC/LUA settings modification

      • Happy.exe (PID: 984)

    • Changes the autorun value in the registry

      • Happy.exe (PID: 984)

    • XORed URL has been found (YARA)

      • Happy.exe (PID: 984)

    • Renames files like ransomware

      • Happy.exe (PID: 984)
      • restuner.exe (PID: 1356)

    • Avaddon ransom note is found

      • Happy.exe (PID: 984)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Happy.exe (PID: 984)
      • ShellExperienceHost.exe (PID: 6732)
      • ResTuner_setup.tmp (PID: 7640)
      • restuner.exe (PID: 1356)

    • Executable content was dropped or overwritten

      • Happy.exe (PID: 984)
      • ResTuner_setup.exe (PID: 7600)
      • ResTuner_setup.exe (PID: 7724)
      • ResTuner_setup.tmp (PID: 7752)
      • restuner.exe (PID: 1356)

    • Write to the desktop.ini file (may be used to cloak folders)

      • Happy.exe (PID: 984)

    • Uses WMIC.EXE to obtain shadow copy information

      • Happy.exe (PID: 984)

    • Checks for external IP

      • Happy.exe (PID: 984)

    • Reads Internet Explorer settings

      • hh.exe (PID: 8100)

    • Reads Microsoft Outlook installation path

      • hh.exe (PID: 8100)

    • Reads the Windows owner or organization settings

      • ResTuner_setup.tmp (PID: 7752)

    • Uses pipe srvsvc via SMB (transferring data)

      • Happy.exe (PID: 984)

    • Creates file in the systems drive root

      • restuner.exe (PID: 1356)

    • There is functionality for taking screenshot (YARA)

      • restuner.exe (PID: 1356)

  • INFO

    • Reads the computer name

      • Happy.exe (PID: 6004)
      • Happy.exe (PID: 984)
      • ShellExperienceHost.exe (PID: 6732)
      • ResTuner_setup.tmp (PID: 7640)
      • ResTuner_setup.exe (PID: 7724)
      • ResTuner_setup.tmp (PID: 7752)
      • restuner.exe (PID: 8092)
      • restuner.exe (PID: 1356)

    • The sample compiled with english language support

      • Happy.exe (PID: 6004)
      • Happy.exe (PID: 984)
      • restuner.exe (PID: 1356)
      • hh.exe (PID: 8100)

    • Checks supported languages

      • Happy.exe (PID: 6004)
      • Happy.exe (PID: 984)
      • ShellExperienceHost.exe (PID: 6732)
      • ResTuner_setup.exe (PID: 7600)
      • ResTuner_setup.tmp (PID: 7640)
      • ResTuner_setup.exe (PID: 7724)
      • ResTuner_setup.tmp (PID: 7752)
      • restuner.exe (PID: 8092)
      • restuner.exe (PID: 1356)
      • Happy.exe (PID: 1052)
      • Happy.exe (PID: 1984)

    • Reads the machine GUID from the registry

      • Happy.exe (PID: 6004)
      • Happy.exe (PID: 984)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 3964)
      • WMIC.exe (PID: 3488)
      • WMIC.exe (PID: 1028)
      • WMIC.exe (PID: 1740)
      • hh.exe (PID: 8100)

    • Checks proxy server information

      • Happy.exe (PID: 984)
      • hh.exe (PID: 8100)
      • slui.exe (PID: 7276)

    • Creates files or folders in the user directory

      • Happy.exe (PID: 984)
      • restuner.exe (PID: 8092)
      • ResTuner_setup.tmp (PID: 7752)
      • hh.exe (PID: 8100)
      • restuner.exe (PID: 1356)

    • Reads the software policy settings

      • Happy.exe (PID: 984)
      • hh.exe (PID: 8100)
      • slui.exe (PID: 7276)

    • Launching a file from a Registry key

      • Happy.exe (PID: 984)

    • Create files in a temporary directory

      • ResTuner_setup.exe (PID: 7600)
      • ResTuner_setup.tmp (PID: 7752)
      • hh.exe (PID: 8100)
      • ResTuner_setup.exe (PID: 7724)

    • Manual execution by a user

      • ResTuner_setup.exe (PID: 7600)
      • restuner.exe (PID: 1356)
      • Happy.exe (PID: 1052)
      • Happy.exe (PID: 1984)

    • Process checks computer location settings

      • ResTuner_setup.tmp (PID: 7640)

    • The sample compiled with russian language support

      • ResTuner_setup.tmp (PID: 7752)

    • Creates files in the program directory

      • ResTuner_setup.tmp (PID: 7752)

    • Creates a software uninstall entry

      • ResTuner_setup.tmp (PID: 7752)

    • Compiled with Borland Delphi (YARA)

      • restuner.exe (PID: 1356)

    • UPX packer has been detected

      • restuner.exe (PID: 1356)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(984) Happy.exe
Decrypted-URLs (2)http://www.w3.org/2000/svg
https://www.torproject.org/
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:06:10 08:30:52+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 2881024
InitializedDataSize: 29184
UninitializedDataSize: -
EntryPoint: 0x53f0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.0.1.23971
ProductVersionNumber: 6.0.1.23971
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
CompanyName: RealVNC Ltd
FileDescription: VNC® Password Utility
FileVersion: 6.0.1 (r23971)
InternalName: vncpasswd
LegalCopyright: Copyright © 2002-2016 RealVNC Ltd.
LegalTrademarks: VNC is a registered trademark of RealVNC Ltd in the U.S. and in other countries.
OriginalFileName: vncpasswd.exe
ProductName: VNC®
ProductVersion: 6.0.1 (r23971)
ProgramName: VNC® Password Utility
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
20
Malicious processes
2
Suspicious processes
7

Behavior graph

Click at the process to see the details
start happy.exe no specs CMSTPLUA #XOR-URL happy.exe shellexperiencehost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs restuner_setup.exe restuner_setup.tmp no specs restuner_setup.exe restuner_setup.tmp restuner.exe no specs hh.exe slui.exe restuner.exe happy.exe no specs happy.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
984"C:\Users\admin\Desktop\Happy.exe" C:\Users\admin\Desktop\Happy.exe
dllhost.exe
User:
admin
Company:
RealVNC Ltd
Integrity Level:
HIGH
Description:
VNC® Password Utility
Version:
6.0.1 (r23971)
Modules
Images
c:\users\admin\desktop\happy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
xor-url
(PID) Process(984) Happy.exe
Decrypted-URLs (2)http://www.w3.org/2000/svg
https://www.torproject.org/
1028wmic.exe SHADOWCOPY /nointeractiveC:\Windows\SysWOW64\wbem\WMIC.exeHappy.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
44124
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\framedynos.dll
1052"C:\Users\admin\Desktop\Happy.exe" C:\Users\admin\Desktop\Happy.exeexplorer.exe
User:
admin
Company:
RealVNC Ltd
Integrity Level:
MEDIUM
Description:
VNC® Password Utility
Exit code:
0
Version:
6.0.1 (r23971)
Modules
Images
c:\users\admin\desktop\happy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1356"C:\Program Files (x86)\Resource Tuner\restuner.exe" C:\Program Files (x86)\Resource Tuner\restuner.exe
explorer.exe
User:
admin
Company:
Heaventools Software
Integrity Level:
MEDIUM
Description:
Resource Tuner
Version:
2.25.0.25
Modules
Images
c:\program files (x86)\resource tuner\restuner.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1740wmic.exe SHADOWCOPY /nointeractiveC:\Windows\SysWOW64\wbem\WMIC.exeHappy.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
44124
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\framedynos.dll
1984"C:\Users\admin\Desktop\Happy.exe" C:\Users\admin\Desktop\Happy.exeexplorer.exe
User:
admin
Company:
RealVNC Ltd
Integrity Level:
MEDIUM
Description:
VNC® Password Utility
Exit code:
0
Version:
6.0.1 (r23971)
Modules
Images
c:\users\admin\desktop\happy.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
3488wmic.exe SHADOWCOPY /nointeractiveC:\Windows\SysWOW64\wbem\WMIC.exeHappy.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
44124
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\iphlpapi.dll
3964C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\SysWOW64\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
5232\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
12 984
Read events
11 965
Write events
724
Delete events
295

Modification events

(PID) Process:(984) Happy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(984) Happy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(984) Happy.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(984) Happy.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(984) Happy.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(984) Happy.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:update
Value:
C:\Users\admin\AppData\Roaming\Happy.exe
(PID) Process:(984) Happy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:update
Value:
C:\Users\admin\AppData\Roaming\Happy.exe
(PID) Process:(6732) ShellExperienceHost.exeKey:\REGISTRY\A\{89a3547a-5616-c8b3-38d9-37eb924b9213}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D0000007393CA7F49E2DB01
(PID) Process:(984) Happy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLinkedConnections
Value:
1
(PID) Process:(984) Happy.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:writeName:Owner
Value:
D8030000B966DE7B49E2DB01
Executable files
21
Suspicious files
372
Text files
65
Unknown types
1

Dropped files

PID
Process
Filename
Type
984Happy.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:4A90329071AE30B759D279CCA342B0A6
SHA256:4F544379EDA8E2653F71472AB968AEFD6B5D1F4B3CE28A5EDB14196184ED3B60
984Happy.exeC:\Users\admin\AppData\Roaming\Happy.exeexecutable
MD5:D17150AF2CAEEC5DA4029822D740137A
SHA256:DCCC689C986E357D5DBDC987E72E6B8A0E9017CBF347449B27C84B8B7B9D507A
984Happy.exeC:\$WinREAgent\Backup\168583-readme.htmlhtml
MD5:19A3E44CB8F46B686C52EA91CAA0D710
SHA256:F98EB0F0597D4CABFD60AEAD26B324530957DB484A06083EC69E5691E0549C39
984Happy.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\$RECYCLE.BIN\desktop.initext
MD5:AD0B0B4416F06AF436328A3C12DC491B
SHA256:23521DE51CA1DB2BC7B18E41DE7693542235284667BF85F6C31902547A947416
984Happy.exeC:\$WinREAgent\Backup\location.txtbinary
MD5:3593ECA26799F4CBC226457163FCEE3F
SHA256:9ECCEDF5EAF0C6B211A1B606656A5F94B2812EFD2C555F950EE925E457B62C32
984Happy.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\EFI\Microsoft\Boot\bg-BG\bootmgfw.efi.mui.avdnbinary
MD5:025149AF6833311E78D18F8A7C35EBC6
SHA256:B6E8972C125BB123D959B60983CC5C08B247BF9A61ADB57AA13F4890C1DA16C9
984Happy.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\EFI\Microsoft\Boot\bg-BG\168583-readme.htmlhtml
MD5:19A3E44CB8F46B686C52EA91CAA0D710
SHA256:F98EB0F0597D4CABFD60AEAD26B324530957DB484A06083EC69E5691E0549C39
984Happy.exeC:\$WinREAgent\168583-readme.htmlhtml
MD5:19A3E44CB8F46B686C52EA91CAA0D710
SHA256:F98EB0F0597D4CABFD60AEAD26B324530957DB484A06083EC69E5691E0549C39
984Happy.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\EFI\Microsoft\Boot\bg-BG\bootmgr.efi.mui.avdnbinary
MD5:AFE07232BE0F9D9F74CC9285A6258F2B
SHA256:EB74E68DED0076A65CFA063B99A063F11E03BA97F3B1EE7D7138114A43C5E022
984Happy.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\EFI\Microsoft\Boot\bg-BG\bootmgr.efi.muibinary
MD5:AFE07232BE0F9D9F74CC9285A6258F2B
SHA256:EB74E68DED0076A65CFA063B99A063F11E03BA97F3B1EE7D7138114A43C5E022
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
51
DNS requests
25
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
984
Happy.exe
GET
200
142.250.184.227:80
http://c.pki.goog/r/gsr1.crl
US
binary
1.70 Kb
whitelisted
5692
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
984
Happy.exe
GET
200
142.250.184.227:80
http://c.pki.goog/r/r4.crl
US
binary
530 b
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
7848
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
420 b
whitelisted
7848
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
ID
binary
734 b
whitelisted
8100
hh.exe
GET
200
216.58.212.163:80
http://o.pki.goog/we2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEHIoRiGqO3DvEobJIDM2UtM%3D
US
binary
279 b
whitelisted
8100
hh.exe
GET
200
216.58.212.163:80
http://o.pki.goog/we2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEDXNWpWbUgWVEsVsLcqbQaY%3D
US
binary
279 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2028
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2336
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5692
svchost.exe
20.190.160.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5692
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
984
Happy.exe
104.26.9.59:443
api.myip.com
CLOUDFLARENET
US
whitelisted
984
Happy.exe
142.250.184.227:80
c.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.4
  • 40.126.32.72
  • 20.190.160.131
  • 20.190.160.2
  • 40.126.32.134
  • 20.190.160.3
  • 20.190.160.20
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
api.myip.com
  • 104.26.9.59
  • 104.26.8.59
  • 172.67.75.163
whitelisted
c.pki.goog
  • 142.250.184.227
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
984
Happy.exe
Device Retrieving External IP Address Detected
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Happy.exe