File name:

Sanitise.exe

Full analysis: https://app.any.run/tasks/859aca9b-d29d-4bf9-a568-a19b49f58c0b
Verdict: Malicious activity
Threats:

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 03:55:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
redline
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

F05FFB41980D6FE36E7B723F0B758146

SHA1:

F6074C34E2E96890D69E1782ACC5E6A2442AF8D3

SHA256:

0F005A793D972246D3BBDC07A5E40C961010D405EAFB13DBB80331A01ED2C6E4

SSDEEP:

6144:ig4LvCkr/RxIgXHaHgCbgwqrHm58nrCpmm:h4Lvxr/Rx/HaHgCbgw8Hm58nrCpmm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REDLINE has been detected (YARA)

      • Sanitise.exe (PID: 7600)

  • SUSPICIOUS

    • Application launched itself

      • Sanitise.exe (PID: 7488)

    • Multiple wallet extension IDs have been found

      • Sanitise.exe (PID: 7600)

    • Connects to unusual port

      • Sanitise.exe (PID: 7600)

  • INFO

    • Reads the machine GUID from the registry

      • Sanitise.exe (PID: 7488)
      • Sanitise.exe (PID: 7600)

    • Checks supported languages

      • Sanitise.exe (PID: 7488)
      • Sanitise.exe (PID: 7600)

    • Checks proxy server information

      • Sanitise.exe (PID: 7600)
      • slui.exe (PID: 8064)

    • Reads the computer name

      • Sanitise.exe (PID: 7488)
      • Sanitise.exe (PID: 7600)

    • Disables trace logs

      • Sanitise.exe (PID: 7600)

    • Reads the software policy settings

      • slui.exe (PID: 8064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(7600) Sanitise.exe
C2 (1)80.89.237.223:33872
Botnetchm
Options
ErrorMessage
Keys
XorTruckle
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (62)
.exe | Win64 Executable (generic) (23.3)
.dll | Win32 Dynamic Link Library (generic) (5.5)
.exe | Win32 Executable (generic) (3.8)
.exe | Win16/32 Executable Delphi generic (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2083:08:21 21:02:45+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 369664
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x5c156
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 0.0.0.0
InternalName: Sanitise.exe
LegalCopyright:
OriginalFileName: Sanitise.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sanitise.exe no specs conhost.exe no specs #REDLINE sanitise.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7488"C:\Users\admin\Desktop\Sanitise.exe" C:\Users\admin\Desktop\Sanitise.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\sanitise.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSanitise.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7600C:\Users\admin\Desktop\Sanitise.exeC:\Users\admin\Desktop\Sanitise.exe
Sanitise.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\sanitise.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
RedLine
(PID) Process(7600) Sanitise.exe
C2 (1)80.89.237.223:33872
Botnetchm
Options
ErrorMessage
Keys
XorTruckle
8064C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 926
Read events
4 912
Write events
14
Delete events
0

Modification events

(PID) Process:(7600) Sanitise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Sanitise_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7600) Sanitise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Sanitise_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7600) Sanitise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Sanitise_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7600) Sanitise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Sanitise_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7600) Sanitise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Sanitise_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7600) Sanitise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Sanitise_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7600) Sanitise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Sanitise_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7600) Sanitise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Sanitise_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7600) Sanitise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Sanitise_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7600) Sanitise.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Sanitise_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
47
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4944
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7872
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4944
RUXIMICS.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7872
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7872
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7872
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7872
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7872
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7872
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4944
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4944
RUXIMICS.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
4944
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
7600
Sanitise.exe
80.89.237.223:33872
Zomro B.V.
NL
unknown
7872
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.181.238
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted
login.live.com
  • 40.126.31.2
  • 40.126.31.0
  • 20.190.159.71
  • 20.190.159.64
  • 40.126.31.73
  • 40.126.31.130
  • 40.126.31.71
  • 20.190.159.75
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sanitise.exe