File name:

GB.exe

Full analysis: https://app.any.run/tasks/4b7f6d59-bda2-482f-baa3-1a86940494e1
Verdict: Malicious activity
Analysis date: April 29, 2025, 18:35:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

C8C2AF0EFA1C9510AE9BFDF5B25D1098

SHA1:

1F111E3CC203DB4FE51179881662F71BA2A88103

SHA256:

FEA7E7A1230FD2D57848E9148D876E9A0C42C0DE1E5E5EE198A80CC8A6996FD3

SSDEEP:

98304:EaeKX+VtcE2zDRrSe1UfTepMk/80vMck+rhIC79IcktIf9Ds8phCGLNy6ukMJdzM:UYvkDZK7Y6jzPmr/cz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 7784)
      • reg.exe (PID: 7824)
      • reg.exe (PID: 7804)

    • Registers / Runs the DLL via REGSVR32.EXE

      • cmd.exe (PID: 1812)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 1812)

    • Uses TASKKILL.EXE to kill antiviruses

      • cmd.exe (PID: 7596)
      • cmd.exe (PID: 7468)
      • cmd.exe (PID: 7944)
      • cmd.exe (PID: 7764)
      • cmd.exe (PID: 8088)
      • cmd.exe (PID: 4920)
      • cmd.exe (PID: 7292)
      • cmd.exe (PID: 8128)
      • cmd.exe (PID: 8124)
      • cmd.exe (PID: 7432)
      • cmd.exe (PID: 1240)
      • cmd.exe (PID: 6540)
      • cmd.exe (PID: 5576)
      • cmd.exe (PID: 7704)
      • cmd.exe (PID: 2656)
      • cmd.exe (PID: 6040)
      • cmd.exe (PID: 6852)
      • cmd.exe (PID: 7952)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • GB.exe (PID: 672)
      • Rar.exe (PID: 7416)
      • xcopy.exe (PID: 7640)
      • cmd.exe (PID: 1812)

    • Reads security settings of Internet Explorer

      • GB.exe (PID: 672)

    • The process executes VB scripts

      • GB.exe (PID: 672)
      • cmd.exe (PID: 1812)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 5156)
      • wscript.exe (PID: 8128)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 5156)
      • Microsoft0leSystemmcas.exe (PID: 7852)
      • wscript.exe (PID: 8128)
      • Winlog0nUser.exe (PID: 7844)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 976)

    • Process drops legitimate windows executable

      • Rar.exe (PID: 7416)
      • cmd.exe (PID: 1812)

    • Process copies executable file

      • cmd.exe (PID: 1812)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 7688)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1812)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 1812)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5156)
      • wscript.exe (PID: 8128)

    • Uses WMIC.EXE to obtain information about the network interface controller

      • cmd.exe (PID: 8092)

    • There is functionality for taking screenshot (YARA)

      • Winlog0nUser.exe (PID: 7844)

    • Connects to unusual port

      • Winlog0nUser.exe (PID: 7844)

  • INFO

    • Checks supported languages

      • GB.exe (PID: 672)
      • Rar.exe (PID: 7416)
      • Microsoft0leSystemmcas.exe (PID: 7852)
      • Winlog0nUser.exe (PID: 7844)
      • zl.exe (PID: 7868)
      • SndCab.exe (PID: 7880)

    • Process checks computer location settings

      • GB.exe (PID: 672)

    • Reads the computer name

      • GB.exe (PID: 672)
      • SndCab.exe (PID: 7880)
      • Winlog0nUser.exe (PID: 7844)

    • The sample compiled with english language support

      • GB.exe (PID: 672)
      • Rar.exe (PID: 7416)
      • xcopy.exe (PID: 7640)
      • cmd.exe (PID: 1812)

    • Reads the machine GUID from the registry

      • Rar.exe (PID: 7416)

    • Creates a new folder

      • cmd.exe (PID: 7904)
      • cmd.exe (PID: 8020)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5720)

    • Reads the software policy settings

      • slui.exe (PID: 5864)
      • slui.exe (PID: 1812)

    • Checks proxy server information

      • slui.exe (PID: 1812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:04:27 20:03:27+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 190976
InitializedDataSize: 326656
UninitializedDataSize: -
EntryPoint: 0x1d759
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
239
Monitored processes
102
Malicious processes
4
Suspicious processes
23

Behavior graph

Click at the process to see the details
start gb.exe wscript.exe no specs cmd.exe conhost.exe no specs taskkill.exe no specs sppextcomobj.exe no specs slui.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs rar.exe xcopy.exe xcopy.exe no specs regsvr32.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs reg.exe reg.exe reg.exe winlog0nuser.exe microsoft0lesystemmcas.exe no specs zl.exe no specs sndcab.exe no specs cmd.exe no specs conhost.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs slui.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs gb.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
672"C:\Users\admin\AppData\Local\Temp\GB.exe" C:\Users\admin\AppData\Local\Temp\GB.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\gb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
736\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
896C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
960\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
976taskkill /im sndcab.exe /fC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
976C:\WINDOWS\system32\cmd.exe /c ""C:\TEMP\ok.bat" "C:\Windows\SysWOW64\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1240cmd /c taskkill /im MsMpEngCPo.exe /fC:\Windows\SysWOW64\cmd.exeWinlog0nUser.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
128
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1532\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1812C:\WINDOWS\system32\cmd.exe /c ""C:\TEMP\new.bat" "C:\Windows\SysWOW64\cmd.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1812C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
9 444
Read events
9 422
Write events
19
Delete events
3

Modification events

(PID) Process:(672) GB.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR SFX
Operation:writeName:c%%TEMP%
Value:
c:\TEMP\
(PID) Process:(672) GB.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(7688) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
Operation:delete keyName:(default)
Value:
(PID) Process:(7688) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(7688) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
Operation:delete keyName:(default)
Value:
(PID) Process:(7688) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32
Operation:delete valueName:ThreadingModel
Value:
(PID) Process:(7688) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(7688) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(7688) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(7688) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
Operation:writeName:Version
Value:
1.0
Executable files
10
Suspicious files
38
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
672GB.exeC:\TEMP\inst.rar
MD5:
SHA256:
7416Rar.exeC:\Intel\Drv\spss.dat
MD5:
SHA256:
672GB.exeC:\TEMP\close.vbstext
MD5:8C7B0DADD914F0A3ECDC45D596D55A76
SHA256:4B18745BDE5DA464ED6E34E3E6B10EFF6F7D75B80AD5D851F07C352123DCE7D1
672GB.exeC:\TEMP\new.battext
MD5:EB3087AAEF467212D33700F21579449D
SHA256:3D0A35B375F2BD0A52D410FAF82ADC5691C9C2B310D42C18A1F824E2C0B997F1
7416Rar.exeC:\Intel\Drv\MSWINSCK.OCXexecutable
MD5:9484C04258830AA3C2F2A70EB041414C
SHA256:BF7E47C16D7E1C0E88534F4EF95E09D0FD821ED1A06B0D95A389B35364B63FF5
672GB.exeC:\TEMP\InstalltoolConsole.vbstext
MD5:37894433BA79853954D3F5F1209DD1AD
SHA256:CB74E08D23C70DDE7F6EFEBFEE49563E569CCFFF1541C9D5D96842FC8E8926B3
672GB.exeC:\TEMP\ok.battext
MD5:70B0AE18CD14C3C67026C447CE75F7D1
SHA256:A4CDFF7D3023E7156EED2F87C8233482AB82351527FCAF1638CE161FEDA7D46D
672GB.exeC:\TEMP\Rar.exeexecutable
MD5:C63E87A329F21C9CE3794D47647FCDC9
SHA256:E904F95AEADE4268AEDDD6D0FA9B867FBA789998ABF53C386D295F4E779B429F
7416Rar.exeC:\Intel\Drv\LOCAL.txttext
MD5:99A29DC8105FD2FA39D8CDC04733938D
SHA256:9AED541153E3F39CC0B4CFD1D2B1B1D2C99F660742055147505E7E8F5EF08070
7416Rar.exeC:\Intel\Drv\sndcab.dattext
MD5:11337948F1C939DECA9C8168622822FA
SHA256:440B045C3C078A5E031B13F1A38867F48308FF535B7282CADE6AA57D837EA427
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
31
DNS requests
14
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.17.251.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6700
RUXIMICS.exe
GET
200
2.17.251.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6700
RUXIMICS.exe
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1300
SIHClient.exe
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1300
SIHClient.exe
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6700
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.17.251.99:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6700
RUXIMICS.exe
2.17.251.99:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.21.189.233:80
www.microsoft.com
Akamai International B.V.
GB
whitelisted
6700
RUXIMICS.exe
2.21.189.233:80
www.microsoft.com
Akamai International B.V.
GB
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.74.14
whitelisted
crl.microsoft.com
  • 2.17.251.99
whitelisted
www.microsoft.com
  • 2.21.189.233
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
aaba919bhttps.clouddns.ph
  • 45.79.222.138
unknown
aaba919bhttps.cloudns.ph
  • 172.93.100.239
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
aaba919bhttps.cloufire.ph
  • 45.79.222.138
unknown
aab19cd4.strangled.net
unknown
self.events.data.microsoft.com
  • 13.89.179.10
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.strangled .net Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GB.exe