File name:

AppVShNotify.exe.bin

Full analysis: https://app.any.run/tasks/52acc922-7126-4627-828e-14fddeaea71a
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 30, 2025, 12:22:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
sinkhole
m0yv
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

CB2C1D5FEEB55DA27EC563012EB2EA44

SHA1:

C9F5F4833FF133A4A5CE7A91876D10814985A940

SHA256:

2A923C898E9D8D0F176591F5E662183D97E6FFD7D5AA74181BABDDE5CCA2AE81

SSDEEP:

49152:O6cMrMd50iT4tf8/MDLdh22PjrE3+gChrGwWGoM9EoPcFq0:O6wd50U4tfDLdh227XlYMWSQq0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • AppVShNotify.exe.bin.exe (PID: 6320)

    • M0YV has been detected (YARA)

      • AppVShNotify.exe.bin.exe (PID: 6320)

    • Actions looks like stealing of personal data

      • AppVShNotify.exe.bin.exe (PID: 6320)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • AppVShNotify.exe.bin.exe (PID: 6320)

    • Executable content was dropped or overwritten

      • AppVShNotify.exe.bin.exe (PID: 6320)

    • Starts a Microsoft application from unusual location

      • AppVShNotify.exe.bin.exe (PID: 6320)

  • INFO

    • Creates files or folders in the user directory

      • AppVShNotify.exe.bin.exe (PID: 6320)

    • The sample compiled with english language support

      • AppVShNotify.exe.bin.exe (PID: 6320)

    • Reads the computer name

      • AppVShNotify.exe.bin.exe (PID: 6320)

    • Checks supported languages

      • AppVShNotify.exe.bin.exe (PID: 6320)

    • Checks proxy server information

      • AppVShNotify.exe.bin.exe (PID: 6320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2056:07:30 13:56:24+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.28
CodeSize: 90112
InitializedDataSize: 167936
UninitializedDataSize: -
EntryPoint: 0x14330
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 10.0.22000.1
ProductVersionNumber: 10.0.22000.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft Application Virtualization Client Shell Notifier
FileVersion: 10.0.22000.1 (WinBuild.160101.0800)
InternalName: AppVShNotify.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: AppVShNotify.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.22000.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #M0YV appvshnotify.exe.bin.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6320"C:\Users\admin\AppData\Local\Temp\AppVShNotify.exe.bin.exe" C:\Users\admin\AppData\Local\Temp\AppVShNotify.exe.bin.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Application Virtualization Client Shell Notifier
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\appvshnotify.exe.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
1 557
Read events
1 557
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6320AppVShNotify.exe.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeexecutable
MD5:9058CA3A507ED9DD06538799D1472CA0
SHA256:32737EFFFF0C43DBA2F799F8DF1CE14A34EDFCA800BCC898E759970429E9A1DD
6320AppVShNotify.exe.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeexecutable
MD5:16C993B09F6239E77ED52F91AB75304D
SHA256:12F55A263A8C6454D0D498E499E1BBAE0AFDCBF8F39F979B42755C82BF57A841
6320AppVShNotify.exe.bin.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:3361570F3E5EC3E459B898E901D940F8
SHA256:60229FBC5BA499A042F486798B018ABA1662DB5475C849299B9DF7D40218A4C4
6320AppVShNotify.exe.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeexecutable
MD5:9548FA1A5AE4E122C844B39047D46E55
SHA256:A31E7946918160FC996C35683F49F86033BDA3D9ED8A5EE80B4B44528F1871F3
6320AppVShNotify.exe.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeexecutable
MD5:3316CD686ED69143B56CEB4DEB4457F8
SHA256:583D2C4B8750EB52DA1AE3A7DAB104679A5DD72661B0E995684AB40E49658A02
6320AppVShNotify.exe.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeexecutable
MD5:233901AFC59BC83D93E31AB29D1A47BD
SHA256:80F903D2C7AA1F7E24AF637C454110B0CCF08FA9199B0B89E89959D630052E12
6320AppVShNotify.exe.bin.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:21124E5F5C0519D30DD4A047FC15DB75
SHA256:C7F0C5D705A565779ACBD796433CBE7B9B39695875127B3A5E2A9741D8217EE2
6320AppVShNotify.exe.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeexecutable
MD5:F7C40E85E694245B6634A7F023ECD9A8
SHA256:8957D3CF57B9425F4D7713271CF422B1DA4DAF579433D1F065BB68B80F425C8C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
72
TCP/UDP connections
88
DNS requests
86
Threats
23

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6320
AppVShNotify.exe.bin.exe
POST
200
54.244.188.177:80
http://cvgrf.biz/vgyflkqjmiutfiqa
unknown
malicious
6320
AppVShNotify.exe.bin.exe
POST
200
54.244.188.177:80
http://pywolwnvd.biz/kstyblujntnntxr
unknown
malicious
6320
AppVShNotify.exe.bin.exe
POST
200
44.221.84.105:80
http://npukfztj.biz/lkbsupcvmu
unknown
malicious
6320
AppVShNotify.exe.bin.exe
POST
302
72.52.178.23:80
http://przvgke.biz/uwuwvi
unknown
unknown
6320
AppVShNotify.exe.bin.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/hqshl
unknown
malicious
6320
AppVShNotify.exe.bin.exe
POST
200
18.141.10.107:80
http://knjghuig.biz/xwdgmjhdfjgjam
unknown
malicious
6320
AppVShNotify.exe.bin.exe
POST
302
72.52.178.23:80
http://przvgke.biz/xulktkeybrthlh
unknown
unknown
6320
AppVShNotify.exe.bin.exe
GET
200
199.59.243.228:80
http://ww7.przvgke.biz/uwuwvi?usid=23&utid=8885070848
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
104.126.37.137:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6320
AppVShNotify.exe.bin.exe
54.244.188.177:80
pywolwnvd.biz
AMAZON-02
US
malicious
6320
AppVShNotify.exe.bin.exe
18.141.10.107:80
ssbzmoy.biz
AMAZON-02
SG
malicious
1076
svchost.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
6320
AppVShNotify.exe.bin.exe
44.221.84.105:80
npukfztj.biz
AMAZON-AES
US
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.137
  • 104.126.37.146
  • 104.126.37.139
  • 104.126.37.128
  • 104.126.37.131
  • 104.126.37.144
  • 104.126.37.136
  • 104.126.37.123
  • 104.126.37.130
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.140
  • 20.190.160.2
  • 20.190.160.20
  • 20.190.160.128
  • 40.126.32.76
  • 20.190.160.130
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
pywolwnvd.biz
  • 54.244.188.177
malicious
ssbzmoy.biz
  • 18.141.10.107
malicious
cvgrf.biz
  • 54.244.188.177
malicious
go.microsoft.com
  • 23.35.238.131
whitelisted
npukfztj.biz
  • 44.221.84.105
malicious
przvgke.biz
  • 72.52.178.23
unknown
ww7.przvgke.biz
  • 199.59.243.228
malicious

Threats

PID
Process
Class
Message
6320
AppVShNotify.exe.bin.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
6320
AppVShNotify.exe.bin.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
6320
AppVShNotify.exe.bin.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
6320
AppVShNotify.exe.bin.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
6320
AppVShNotify.exe.bin.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
6320
AppVShNotify.exe.bin.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
2192
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
6320
AppVShNotify.exe.bin.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
6320
AppVShNotify.exe.bin.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
6320
AppVShNotify.exe.bin.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AppVShNotify.exe.bin