File name:

Binding_of_Isaac.exe

Full analysis: https://app.any.run/tasks/a8e6bab4-4c0a-4dfd-86c1-845ee9614513
Verdict: Malicious activity
Analysis date: May 19, 2025, 22:55:39
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

5D96290E5D36D871F5C0F84B1D41DAA7

SHA1:

9D1499ACB0798F4E98A89FF478865AD8CA04F4DD

SHA256:

1A620F0B03A8CA7BDF32F84C143F1B074AD59D9294942CC44DED91E3B9E1D339

SSDEEP:

98304:cN6jxhHppN8DzBhiDi/Y/2UBp0pOwjDQYgJJQuVxmHejOkywfxGvu4mTWBepN5Ku:YGGpKVD+xuAk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Binding_of_Isaac.exe (PID: 2192)

    • Reads the Internet Settings

      • Binding_of_Isaac.exe (PID: 2192)

    • Detected use of alternative data streams (AltDS)

      • Binding_of_Isaac.exe (PID: 2192)

    • Reads security settings of Internet Explorer

      • Binding_of_Isaac.exe (PID: 2192)

  • INFO

    • Create files in a temporary directory

      • Binding_of_Isaac.exe (PID: 2192)

    • Checks supported languages

      • Binding_of_Isaac.exe (PID: 2192)

    • Reads CPU info

      • Binding_of_Isaac.exe (PID: 2192)

    • The sample compiled with english language support

      • Binding_of_Isaac.exe (PID: 2192)

    • Reads the computer name

      • Binding_of_Isaac.exe (PID: 2192)

    • Reads the machine GUID from the registry

      • Binding_of_Isaac.exe (PID: 2192)

    • Creates files or folders in the user directory

      • Binding_of_Isaac.exe (PID: 2192)

    • UPX packer has been detected

      • Binding_of_Isaac.exe (PID: 2192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (28.6)
.exe | UPX compressed Win32 Executable (28)
.exe | Win32 EXE Yoda's Crypter (27.5)
.dll | Win32 Dynamic Link Library (generic) (6.8)
.exe | Win32 Executable (generic) (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:04:10 11:29:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7.1
CodeSize: 4284416
InitializedDataSize: 397312
UninitializedDataSize: 3469312
EntryPoint: 0x765800
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
CompanyName: Edmund Mcmillen & Florian Himsl
FileDescription: The Binding of Isaac
FileVersion: 1.0.0.0
InternalName: Isaac
LegalCopyright: Edmund Mcmillen & Florian Himsl
LegalTrademarks: Copyright Edmund Mcmillen & Florian
OriginalFileName: Binding_of_Isaac
ProductName: Isaac
ProductVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
100
Monitored processes
1
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start binding_of_isaac.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192"C:\Users\admin\Desktop\Binding_of_Isaac.exe" C:\Users\admin\Desktop\Binding_of_Isaac.exe
explorer.exe
User:
admin
Company:
Edmund Mcmillen & Florian Himsl
Integrity Level:
MEDIUM
Description:
The Binding of Isaac
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\binding_of_isaac.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
Total events
778
Read events
768
Write events
10
Delete events
0

Modification events

(PID) Process:(2192) Binding_of_Isaac.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2192) Binding_of_Isaac.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2192) Binding_of_Isaac.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2192) Binding_of_Isaac.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2192) Binding_of_Isaac.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\MostRecentApplication
Operation:writeName:Name
Value:
Binding_of_Isaac.exe
(PID) Process:(2192) Binding_of_Isaac.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\MostRecentApplication
Operation:writeName:ID
Value:
Executable files
5
Suspicious files
38
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2192Binding_of_Isaac.exeC:\Users\admin\AppData\Local\Temp\wrd-890-f2c-16453b.~lk\1.mddexecutable
MD5:6006D41E75DCBAF08B17B3415FABC409
SHA256:773086DBBBF198F7A3F79A73ACF08AEFDE56D78E81123E41F6DE0F0C1EFEC59E
2192Binding_of_Isaac.exeC:\Users\admin\AppData\Local\Temp\wrd-890-f2c-16453b.~lk\0.mddexecutable
MD5:DF9FFE8B2B937C3316BBEAD7821BEE5D
SHA256:4E760B339619CAD772323203F2C9B4ADC0C1E9B335F657AFA0CB4087A036C42B
2192Binding_of_Isaac.exeC:\Users\admin\AppData\Local\Temp\wrd-890-f2c-16453b.~lk\4.mddexecutable
MD5:5379C9DA4EECAD6BD87E16FA9BF77793
SHA256:F0466700070303202910C7E7B740D3A96750B0FA8A5B5B035D789D2815D49029
2192Binding_of_Isaac.exeC:\Users\admin\AppData\Local\Temp\wrd-890-f2c-16453b.~lk\2.mddexecutable
MD5:3A9FFF286CF967CFD251324C83BF4921
SHA256:BED9643898F91E7BCC4D551CEFF435C02D71867CC5A950B0DE53489E26CB2155
2192Binding_of_Isaac.exeC:\Users\admin\AppData\Local\Temp\wrd-890-f2c-16453b.~lk\~swd1.swfbinary
MD5:EEB736D65F89DBABDC5670F801C6D53B
SHA256:110CC62DFE0D51671099BC36E39F9C07331A1AF2CBC1265E6BCF19991268E425
2192Binding_of_Isaac.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.solbinary
MD5:474B98DCC92FF3820AC89C4960288390
SHA256:90CB9360E98292B3670D4F43B6D95C3638C22639ADD54903C099C446781BC69F
2192Binding_of_Isaac.exeC:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxxbinary
MD5:474B98DCC92FF3820AC89C4960288390
SHA256:90CB9360E98292B3670D4F43B6D95C3638C22639ADD54903C099C446781BC69F
2192Binding_of_Isaac.exeC:\Users\admin\AppData\Local\Temp\wrd-890-f2c-16453b.~lk\~swd1.datbinary
MD5:CBA3492B636787E315784ACB1E1FB111
SHA256:282A6214F7A813365BCB11F818D7C4D4A3F3DC21A5042FF063979D3175FE94E9
2192Binding_of_Isaac.exeC:\Users\admin\AppData\Local\Temp\wrd-890-f2c-16453b.~lk\3.mddexecutable
MD5:588A476374D25728CEFCE9771E205F66
SHA256:32D9F691C0106FD3E0FA22679A5EC62BA6BAEFAC00D316829B57AA81CABD6965
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
14
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.42:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
2768
svchost.exe
GET
200
208.89.74.17:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9a78fd978e6e7371
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?444ec3da9685e6f4
unknown
whitelisted
2768
svchost.exe
GET
200
208.89.74.17:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?966e481a9fe01acd
unknown
whitelisted
2768
svchost.exe
GET
200
208.89.74.17:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?cd93d97035913c62
unknown
whitelisted
2768
svchost.exe
GET
200
208.89.74.17:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?8c5f537924fd1502
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.16.164.42:80
Akamai International B.V.
NL
unknown
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
3640
svchost.exe
20.190.160.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1496
smartscreen.exe
20.82.9.214:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
2756
svchost.exe
104.102.63.189:443
fs.microsoft.com
AKAMAI-AS
US
whitelisted
2768
svchost.exe
208.89.74.17:80
ctldl.windowsupdate.com
US
whitelisted
2988
OfficeClickToRun.exe
40.79.197.35:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
JP
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
  • 208.89.74.17
  • 208.89.74.21
  • 208.89.74.27
  • 208.89.74.31
  • 208.89.74.19
  • 208.89.74.23
  • 208.89.74.29
whitelisted
login.live.com
  • 20.190.160.130
  • 40.126.32.140
  • 20.190.160.3
  • 20.190.160.5
  • 40.126.32.76
  • 20.190.160.22
  • 40.126.32.68
  • 20.190.160.132
whitelisted
checkappexec.microsoft.com
  • 20.82.9.214
whitelisted
fs.microsoft.com
  • 104.102.63.189
whitelisted
self.events.data.microsoft.com
  • 40.79.197.35
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Process
Message
Binding_of_Isaac.exe
killfocus main form 0
Binding_of_Isaac.exe
wm_setfocus
Binding_of_Isaac.exe
setfocus main form 0
Binding_of_Isaac.exe
wm_killfocus
Binding_of_Isaac.exe
setfocus main form 0
Binding_of_Isaac.exe
wm_killfocus
Binding_of_Isaac.exe
killfocus main form 0
Binding_of_Isaac.exe
wm_setfocus
Binding_of_Isaac.exe
wm_setfocus
Binding_of_Isaac.exe
killfocus main form 0
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Binding_of_Isaac.exe