File name:

8.exe

Full analysis: https://app.any.run/tasks/7bd1c379-c66f-45f2-83d2-ff574dc896e3
Verdict: Malicious activity
Analysis date: March 04, 2022, 12:56:55
OS: Windows 10 Professional (build: 16299, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

69BA88DE5E68683BED26E78693F03FB7

SHA1:

EAFD5FCCF9F3C67D68D4217BA9FBADD2DFE96948

SHA256:

FD860586369A9F082F023A05A34C4CF54B9B3A017B123E34FDC1AE138A919034

SSDEEP:

3072:QTpfE220vyTdHGM/pvANOhY97Aekz08wqxRFcaHxE:QtpimM/hMIY97ATz08bzrG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • raserver.exe (PID: 3112)

    • Changes the autorun value in the registry

      • raserver.exe (PID: 3112)

    • Drops executable file immediately after starts

      • Explorer.EXE (PID: 3436)
      • DllHost.exe (PID: 996)

  • SUSPICIOUS

    • Checks supported languages

      • conhost.exe (PID: 2860)

    • Starts CMD.EXE for commands execution

      • raserver.exe (PID: 3112)

    • Reads the computer name

      • 8.exe (PID: 4512)
      • winyvg4cvfp.exe (PID: 4540)

    • Reads Environment values

      • raserver.exe (PID: 3112)

    • Executed via COM

      • DllHost.exe (PID: 996)

    • Executable content was dropped or overwritten

      • Explorer.EXE (PID: 3436)
      • DllHost.exe (PID: 996)

    • Creates a directory in Program Files

      • DllHost.exe (PID: 996)

    • Creates files in the program directory

      • DllHost.exe (PID: 996)

  • INFO

    • Reads the computer name

      • raserver.exe (PID: 3112)
      • DllHost.exe (PID: 996)
      • Firefox.exe (PID: 2720)

    • Manual execution by user

      • raserver.exe (PID: 3112)

    • Checks supported languages

      • cmd.exe (PID: 900)
      • raserver.exe (PID: 3112)
      • DllHost.exe (PID: 996)

    • Reads settings of System Certificates

      • raserver.exe (PID: 3112)

    • Reads the software policy settings

      • raserver.exe (PID: 3112)

    • Checks Windows Trust Settings

      • raserver.exe (PID: 3112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | DOS Executable Generic (100)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1d450
UninitializedDataSize: -
InitializedDataSize: -
CodeSize: 162816
LinkerVersion: 10
PEType: PE32
TimeStamp: 2011:09:29 06:27:29+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 29-Sep-2011 04:27:29

DOS Header

Magic number: MZ
Bytes on last page of file: 0x5245
Pages in file: 0x00E8
Relocations: 0x0000
Size of header: 0x5800
Min extra paragraphs: 0xE883
Max extra paragraphs: 0x8B09
Initial SS value: 0x83C8
Initial SP value: 0x3CC0
Checksum: 0x008B
Initial IP value: 0xC103
Initial CS value: 0xC083
Overlay number: 0xFF08
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 1
Time date stamp: 29-Sep-2011 04:27:29
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00027B6C
0x00027C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.32503
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
97
Monitored processes
8
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start 8.exe no specs raserver.exe cmd.exe no specs conhost.exe no specs explorer.exe firefox.exe no specs Copy/Move/Rename/Delete/Link Object winyvg4cvfp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4512"C:\Users\admin\Desktop\8.exe" C:\Users\admin\Desktop\8.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
3112"C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Remote Assistance COM Server
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\raserver.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
900/c del "C:\Users\admin\Desktop\8.exe"C:\Windows\SysWOW64\cmd.exeraserver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
2860\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1\??\C:\WINDOWS\system32\conhost.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\conhost.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3436C:\WINDOWS\Explorer.EXEC:\WINDOWS\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\oleaut32.dll
2720"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exeraserver.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
84.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\program files\mozilla firefox\mozglue.dll
996C:\WINDOWS\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\WINDOWS\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
4540"C:\Program Files (x86)\Hdxj8y\winyvg4cvfp.exe"C:\Program Files (x86)\Hdxj8y\winyvg4cvfp.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\program files (x86)\hdxj8y\winyvg4cvfp.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
Total events
4 915
Read events
4 896
Write events
19
Delete events
0

Modification events

(PID) Process:(3436) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
000000000000000000000000000000000300010001000100110000000000000029000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D0000000D00000000000000430043006C00650061006E00650072002E006C006E006B000000190000000000000064006900660066006900630075006C00740069006E0073007400720075006D0065006E00740073002E00720074006600000016000000000000004100630072006F0062006100740020005200650061006400650072002000440043002E006C006E006B0000000C00000000000000460069007200650066006F0078002E006C006E006B000000120000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B000000150000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B0000000A000000000000004F0070006500720061002E006C006E006B000000130000000000000063006100740061006C006F0067006C0065006100640069006E0067002E0070006E00670000000E00000000000000660069006C00650073006200690061006E002E007200740066000000130000000000000069006E007300690064006500720065006700690073007400650072002E0072007400660000000E000000000000006E006F00740065006D006500740061006C002E0072007400660000001100000000000000700061007400690065006E007400730068006500610072002E0070006E00670000000D00000000000000730075007000650072006C006F0067002E006A007000670000001200000000000000740065006100630068006500720063006F00750070006C0065002E007200740066000000120000000000000077006F006D0061006E00720065006C006500760061006E0074002E006A00700067000000060000000000000038002E006500780065000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001100000000000000000000000000000000000000803F000000400800000000000000004002000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F00000000000000803F01000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000000040000080401000
(PID) Process:(3436) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
9B0C226200000000
(PID) Process:(3112) raserver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3112) raserver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3112) raserver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3112) raserver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3112) raserver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3112) raserver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3112) raserver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3112) raserver.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\61\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
2
Suspicious files
10
Text files
26
Unknown types
9

Dropped files

PID
Process
Filename
Type
3112raserver.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:AA4B7669EEF55FC7705D31672B88980D
SHA256:F964C248CCFB020296430658F3CDF78B18F7904611C5A4F67CE9B3BB3C7464F8
3112raserver.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dder
MD5:A5F52DEA6A7C9A69FA7EBF44B8C31621
SHA256:63B8A379499DBC2F84AE2DEA0B97319C5182E5A248A9567323A4B5A98803BAE0
3112raserver.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D6243C18F0F8F9AEC6638DD210F1984_DE802A7326C3D93908F8D0893F7E3495der
MD5:99596D190E5815996291A17C517982ED
SHA256:7FBACAA06B27C2067B8D67DE077E93612B63C155242E04D24C1882082958B4FF
3112raserver.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:379A1D7CA7EB68D6901405CD49B33E70
SHA256:185408E243A7B8BF54F78127BF4C8DD2C0D55CAF81DD04787AF76815C1FF5AB1
3112raserver.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7A2566B0F62A979AF1A98E46C5B275CFder
MD5:A6EAC6B3F2F2107D776EB2F598072564
SHA256:A4CAC3F387066B861D52D683AFB43026075648AB936FEED89ECFCE76616FAD7C
3112raserver.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary
MD5:DF31F3B8E45F80D74E6EB54C5B600021
SHA256:FDC4008F41FF2BE0FD42530ED456DF147B2160EEB253E216E2686F804A49C033
3112raserver.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\0R23F2I3\euv4[2].htmhtml
MD5:C45B52ACD98BC2026221782EBBA44A3F
SHA256:E32FCA6B4E74A23A98EA1FF211C711057A3279781697ED7884F1644B102C2E52
3112raserver.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1SUK09Q\euv4[1].htmhtml
MD5:1C0F092FC339E858890AE552293396B7
SHA256:8D209D2B789223CD76DC668AD19FBFC66291DA56FF047385AEAA90595178F2AA
3112raserver.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\0R23F2I3\euv4[1].htmhtml
MD5:79E9878CE7475AC1389ABE9FC7CB4974
SHA256:B9CD995D4C969168207792FEE13BAC2171A64F74F6EC3905DECAC1B54759FE06
3112raserver.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:BBB3BC271AFEB39835738E699D1F6B0B
SHA256:70B6581C6744F2BAA10EB7FF950D471196C7B94ECB4CB89A1626C536CE0F88B7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
94
TCP/UDP connections
101
DNS requests
149
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3112
raserver.exe
GET
302
164.155.212.158:80
http://www.turkcuyuz.com/euv4/?rtxXt=3OQtiNXh+wtFz8SCz/eMPGMDt0zVl+r60W+m0NU9E763oXZXwvDQkSXGmk8=&3flpdZ=XN9pmdeXgT4P5p0p
ZA
malicious
3112
raserver.exe
GET
200
104.18.30.182:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQDl%2BKawXnSxln5J5gCs%2Byta
US
der
472 b
whitelisted
3112
raserver.exe
GET
200
104.18.30.182:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
3112
raserver.exe
GET
301
23.227.38.74:80
http://www.rematedeldia.com/euv4/?rtxXt=E+AdldNWUKn4w5MLGzeilCEOXtaM5yG6oWVR/315dVKza9vxtJcECAIUUvQ=&3flpdZ=XN9pmdeXgT4P5p0p
CA
html
190 b
malicious
3112
raserver.exe
GET
404
3.33.152.147:80
http://www.nathanmartinez.digital/euv4/?rtxXt=mGXTyzJialrGJ6ePw2OLDmnY/3pKgDV4z5J4hNo/NMrjj/f7OqxMvsPq+Zk=&3flpdZ=XN9pmdeXgT4P5p0p
US
html
48 b
malicious
3112
raserver.exe
GET
301
167.86.90.254:80
http://www.alifdanismanlik.com/euv4/?rtxXt=TRVfPiqkTC84tdYg/KiHpdfMWo5oXu88iiOypom329GZBOB1ixIt/ccz2Tw=&3flpdZ=XN9pmdeXgT4P5p0p
US
malicious
3112
raserver.exe
GET
200
104.18.31.182:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
3112
raserver.exe
GET
200
34.102.136.180:80
http://www.bendyourtongue.com/euv4/?Zjh=VXRlp0oP5&rtxXt=dD0iDvgd4QknQVRXz5moIEmsbBY1tPeSvnURlKjkbDF/gmz5iXNPVwpW6lM=
US
html
2.49 Kb
whitelisted
3112
raserver.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3112
raserver.exe
GET
404
52.20.218.92:80
http://www.1207rossmoyne.com/euv4/?rtxXt=TT1JpN8L+7jajMh2m+yzKcbRRK1qHB2HVZAqXaTI7ZSCN6N8dyHZSsJ8Vek=&3flpdZ=XN9pmdeXgT4P5p0p
US
text
55 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3112
raserver.exe
104.18.31.182:80
ocsp.comodoca.com
Cloudflare Inc
US
unknown
3112
raserver.exe
104.18.30.182:80
ocsp.comodoca.com
Cloudflare Inc
US
suspicious
3112
raserver.exe
162.0.232.72:80
www.jasabacklinkweb20.com
AirComPlus Inc.
CA
malicious
3112
raserver.exe
164.155.212.158:80
www.turkcuyuz.com
IS
ZA
malicious
3112
raserver.exe
162.0.232.72:443
www.jasabacklinkweb20.com
AirComPlus Inc.
CA
malicious
3112
raserver.exe
3.33.152.147:80
www.nathanmartinez.digital
US
malicious
3112
raserver.exe
23.227.38.74:80
www.rematedeldia.com
Shopify, Inc.
CA
malicious
3112
raserver.exe
3.223.162.31:80
www.teamidc.com
US
malicious
3112
raserver.exe
23.227.38.32:443
rematedeldia.com
Shopify, Inc.
CA
malicious
3112
raserver.exe
206.188.193.217:80
www.launchclik.com
Defense.Net, Inc
US
malicious

DNS requests

Domain
IP
Reputation
www.nathanmartinez.digital
  • 15.197.142.173
  • 3.33.152.147
malicious
www.turkcuyuz.com
  • 164.155.212.158
malicious
www.jasabacklinkweb20.com
  • 162.0.232.72
malicious
ocsp.comodoca.com
  • 104.18.30.182
  • 104.18.31.182
whitelisted
ocsp.usertrust.com
  • 104.18.31.182
  • 104.18.30.182
whitelisted
ocsp.sectigo.com
  • 104.18.30.182
  • 104.18.31.182
whitelisted
www.thecuratedpour.com
  • 74.220.199.6
malicious
www.rematedeldia.com
  • 23.227.38.74
malicious
rematedeldia.com
  • 23.227.38.32
malicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
8.exe