File name:

537

Full analysis: https://app.any.run/tasks/38a5c032-704c-485a-9444-ce770cd4d1dc
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 05, 2023, 15:09:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
locky
ransomware
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4BE3DEB2244EF733B4CC0ACB71137481

SHA1:

6B82B0F3DBA275EA3B104BED6C4A35372CB7FB32

SHA256:

13302B92D75AD29F88D8A0330C153ED0C5156C659A129E852251A3E3552F8537

SSDEEP:

12288:L/yDzz6y9v3lbQW/bAol5DUnxR09GhMJFXG9y6xo9Bca1SVF5ARU+glNYJyQUdUu:L/yvZL/8oXDUxK9GhMHXG9y6xo9Bca8H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 537.exe (PID: 6244)
      • tor-browser-windows-x86_64-portable-13.0.5.exe (PID: 5136)

    • Connects to the CnC server

      • 537.exe (PID: 6244)

    • LOCKY has been detected (SURICATA)

      • 537.exe (PID: 6244)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • 537.exe (PID: 6244)

    • Connects to the server without a host name

      • 537.exe (PID: 6244)

    • Reads Microsoft Outlook installation path

      • 537.exe (PID: 6244)

    • The process creates files with name similar to system file names

      • tor-browser-windows-x86_64-portable-13.0.5.exe (PID: 5136)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • tor-browser-windows-x86_64-portable-13.0.5.exe (PID: 5136)

    • Process drops legitimate windows executable

      • tor-browser-windows-x86_64-portable-13.0.5.exe (PID: 5136)

    • Application launched itself

      • firefox.exe (PID: 6416)
      • firefox.exe (PID: 6364)

    • Connects to unusual port

      • tor.exe (PID: 2596)

  • INFO

    • Checks supported languages

      • 537.exe (PID: 6244)
      • identity_helper.exe (PID: 1360)
      • tor-browser-windows-x86_64-portable-13.0.5.exe (PID: 5136)
      • firefox.exe (PID: 6416)
      • firefox.exe (PID: 6364)
      • firefox.exe (PID: 3056)
      • firefox.exe (PID: 6896)
      • tor.exe (PID: 2596)
      • firefox.exe (PID: 7416)
      • firefox.exe (PID: 4508)
      • firefox.exe (PID: 5732)
      • firefox.exe (PID: 5712)
      • firefox.exe (PID: 7424)
      • firefox.exe (PID: 7408)
      • firefox.exe (PID: 8112)
      • firefox.exe (PID: 7352)

    • Reads the computer name

      • 537.exe (PID: 6244)
      • identity_helper.exe (PID: 1360)
      • tor-browser-windows-x86_64-portable-13.0.5.exe (PID: 5136)
      • firefox.exe (PID: 6364)
      • firefox.exe (PID: 3056)
      • firefox.exe (PID: 6896)
      • firefox.exe (PID: 5732)
      • firefox.exe (PID: 4508)
      • firefox.exe (PID: 7416)
      • firefox.exe (PID: 5712)
      • firefox.exe (PID: 7424)
      • firefox.exe (PID: 7408)
      • tor.exe (PID: 2596)
      • firefox.exe (PID: 8112)
      • firefox.exe (PID: 7352)

    • Checks proxy server information

      • 537.exe (PID: 6244)

    • Reads the machine GUID from the registry

      • 537.exe (PID: 6244)
      • tor.exe (PID: 2596)
      • firefox.exe (PID: 6364)

    • Create files in a temporary directory

      • 537.exe (PID: 6244)
      • tor-browser-windows-x86_64-portable-13.0.5.exe (PID: 5136)

    • Application launched itself

      • msedge.exe (PID: 2196)
      • msedge.exe (PID: 2120)

    • Manual execution by a user

      • msedge.exe (PID: 2196)

    • Drops the executable file immediately after the start

      • msedge.exe (PID: 2120)
      • msedge.exe (PID: 6764)
      • msedge.exe (PID: 1752)

    • The process uses the downloaded file

      • msedge.exe (PID: 1188)
      • msedge.exe (PID: 2120)

    • The dropped object may contain a URL to Tor Browser

      • tor-browser-windows-x86_64-portable-13.0.5.exe (PID: 5136)

    • Dropped object may contain TOR URL's

      • tor-browser-windows-x86_64-portable-13.0.5.exe (PID: 5136)
      • firefox.exe (PID: 6364)

    • Process checks computer location settings

      • tor-browser-windows-x86_64-portable-13.0.5.exe (PID: 5136)
      • firefox.exe (PID: 6364)
      • firefox.exe (PID: 7416)

    • Creates files or folders in the user directory

      • tor-browser-windows-x86_64-portable-13.0.5.exe (PID: 5136)

    • Creates files in the program directory

      • firefox.exe (PID: 6364)

    • Reads CPU info

      • firefox.exe (PID: 6364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:01:20 18:32:39+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 137216
InitializedDataSize: 398848
UninitializedDataSize: -
EntryPoint: 0x12890
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
190
Monitored processes
67
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LOCKY 537.exe splwow64.exe no specs msedge.exe cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs tor-browser-windows-x86_64-portable-13.0.5.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs msedge.exe no specs firefox.exe no specs tor.exe conhost.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs firefox.exe no specs firefox.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=6680 --field-trial-handle=2156,i,6266560407713577921,18309122397357110930,131072 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
236"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5808 --field-trial-handle=2156,i,6266560407713577921,18309122397357110930,131072 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
492"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=6312 --field-trial-handle=2156,i,6266560407713577921,18309122397357110930,131072 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
544"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=4248 --field-trial-handle=2156,i,6266560407713577921,18309122397357110930,131072 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1168"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3288 --field-trial-handle=2156,i,6266560407713577921,18309122397357110930,131072 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
1168"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6456 --field-trial-handle=2156,i,6266560407713577921,18309122397357110930,131072 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1188"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=2156,i,6266560407713577921,18309122397357110930,131072 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1360"C:\Program Files (x86)\Microsoft\Edge\Application\111.0.1661.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 --field-trial-handle=2156,i,6266560407713577921,18309122397357110930,131072 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\111.0.1661.62\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
1712"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5076 --field-trial-handle=2156,i,6266560407713577921,18309122397357110930,131072 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1752"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7964 --field-trial-handle=2156,i,6266560407713577921,18309122397357110930,131072 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
20 778
Read events
20 670
Write events
107
Delete events
1

Modification events

(PID) Process:(6244) 537.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6244) 537.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6244) 537.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6244) 537.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6244) 537.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6244) 537.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6244) 537.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:WallpaperStyle
Value:
10
(PID) Process:(6244) 537.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:TileWallpaper
Value:
0
(PID) Process:(2120) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2120) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
Executable files
36
Suspicious files
605
Text files
255
Unknown types
0

Dropped files

PID
Process
Filename
Type
6244537.exeC:\Users\admin\AppData\Local\Temp\~DFD18756F61E356289.TMPbinary
MD5:E15350084C1358634A790E206652EEE2
SHA256:837F51E826FDAEB6AD05A44E80A0018EAA3F677A68DB0F66260813807A389C65
6244537.exeC:\Users\admin\Documents\OneNote Notebooks\My Notebook\HJ4S8Y0P--9R0M--HKW8--79DBA364--7E625F6162E1.osirisbinary
MD5:CC25D39DED4E41B9FDEBBA5328D4C541
SHA256:9F7A00B7385B15A3155DD0ACE08D726F5A3B0196EBB4FB0B0AAFEBF770BC44E1
6244537.exeC:\Users\admin\Documents\Outlook Files\HJ4S8Y0P--9R0M--HKW8--104F5243--E9CF2F13045D.osirisbinary
MD5:0CB47591AADC466DB36A06733D0243F6
SHA256:084134EAB56D3F2B14A3A777C078F7B0119EEBA0641AF54DAC74A00FD367CFA7
6244537.exeC:\Users\admin\Documents\OneNote Notebooks\My Notebook\OSIRIS-7e8f.htmhtml
MD5:331A5A987F9F47192A13D37AB9858E65
SHA256:286CC109D6C647906FA7DA0E230727D7C784B0D5353F766DD3516BB3E680967D
6244537.exeC:\Users\admin\Documents\Outlook Files\OSIRIS-134f.htmhtml
MD5:331A5A987F9F47192A13D37AB9858E65
SHA256:286CC109D6C647906FA7DA0E230727D7C784B0D5353F766DD3516BB3E680967D
6244537.exeC:\Users\admin\Documents\Outlook Files\HJ4S8Y0P--9R0M--HKW8--E146B8FA--CD0D1E77876E.osirisbinary
MD5:C1717B031851F97D45BDBA3F061D481C
SHA256:0BCB2321424FC8C8D9C85BB8AC24EAFADA13A7D30EC6D8A8ACBCE2BA2CDADE5B
6244537.exeC:\Users\admin\Desktop\HJ4S8Y0P--9R0M--HKW8--3A462AF3--58936175B054.osiristext
MD5:07E62AF4A8475781B8ACFD884E5B9B9F
SHA256:1A7B5E4F55F3EBCB9122B5195925CFBE32E37E9231D0F60B96F7784BA31710A2
6244537.exeC:\Users\admin\Desktop\OSIRIS-58c0.htmhtml
MD5:331A5A987F9F47192A13D37AB9858E65
SHA256:286CC109D6C647906FA7DA0E230727D7C784B0D5353F766DD3516BB3E680967D
6244537.exeC:\Users\admin\Desktop\HJ4S8Y0P--9R0M--HKW8--97CB31E4--972D029466FF.osiristext
MD5:B837E40D657FFEBFC2C485ECD5ED137B
SHA256:F0DC25A789F8FBFFCB4595E3BB52FB29ECF505E48417DA28CF5DB863810DE955
6244537.exeC:\Users\admin\Desktop\HJ4S8Y0P--9R0M--HKW8--4EE0848B--8E83E1EE3B8F.osiristext
MD5:8682B90E1CC2F489BA437E92D77A0C75
SHA256:DD629D9E2E388BA7F093E62984C6109FEA8B4DD13E61F8D40FFFBCD88939794A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
70
TCP/UDP connections
118
DNS requests
66
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6316
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
binary
313 b
unknown
1656
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
6244
537.exe
POST
404
194.31.59.5:80
http://194.31.59.5/checkupdate
unknown
html
182 b
unknown
4528
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
6244
537.exe
POST
404
194.31.59.5:80
http://194.31.59.5/checkupdate
unknown
html
182 b
unknown
236
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
236
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
binary
409 b
unknown
2344
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicWinPCA_2010-07-06.crl
unknown
binary
552 b
unknown
2344
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
binary
1.05 Kb
unknown
2344
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.11 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3764
svchost.exe
239.255.255.250:1900
whitelisted
4528
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4528
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6244
537.exe
46.17.40.234:80
LLC Baxet
RU
unknown
6244
537.exe
194.31.59.5:80
SFCTEK Bilisim Yazilim ve Telekomunikasyon Hiz. San. ve Tic. LTD. STI.
TR
unknown
1656
backgroundTaskHost.exe
20.31.169.57:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
1656
backgroundTaskHost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
6316
backgroundTaskHost.exe
184.86.103.132:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.159.23
  • 40.126.31.71
  • 20.190.159.64
  • 20.190.159.75
  • 20.190.159.4
  • 40.126.31.69
  • 20.190.159.68
  • 20.190.159.73
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
www.bing.com
  • 184.86.103.132
  • 184.86.103.148
  • 184.86.103.159
  • 184.86.103.137
  • 184.86.103.150
  • 184.86.103.154
  • 2.23.209.182
  • 2.23.209.179
  • 2.23.209.189
  • 2.23.209.133
  • 2.23.209.176
  • 2.23.209.140
  • 2.23.209.149
  • 2.23.209.185
  • 2.23.209.187
  • 92.123.104.44
  • 92.123.104.41
  • 92.123.104.53
  • 92.123.104.49
  • 92.123.104.43
  • 92.123.104.34
  • 92.123.104.46
  • 92.123.104.58
  • 92.123.104.59
  • 2.19.96.64
  • 2.19.96.80
  • 2.19.96.74
  • 2.19.96.57
  • 2.19.96.58
  • 2.19.96.81
  • 2.19.96.66
  • 2.19.96.73
  • 2.19.96.65
  • 92.123.104.21
  • 92.123.104.26
  • 92.123.104.23
  • 92.123.104.29
  • 92.123.104.27
  • 92.123.104.19
  • 92.123.104.31
  • 92.123.104.32
  • 92.123.104.30
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
edgeassetservice.azureedge.net
  • 13.107.246.63
  • 13.107.213.63
whitelisted

Threats

PID
Process
Class
Message
6244
537.exe
Malware Command and Control Activity Detected
ET MALWARE Locky CnC Checkin Dec 5 M1
6244
537.exe
Malware Command and Control Activity Detected
ET MALWARE Locky CnC Checkin HTTP Pattern
6244
537.exe
Malware Command and Control Activity Detected
ET MALWARE Locky CnC Checkin Dec 5 M1
6244
537.exe
Malware Command and Control Activity Detected
ET MALWARE Locky CnC Checkin HTTP Pattern
2596
tor.exe
Misc Attack
ET TOR Known Tor Exit Node Traffic group 71
2596
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 71
2596
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 310
2596
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 427
2596
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 665
2596
tor.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 762
No debug info