File name:

ben.exe

Full analysis: https://app.any.run/tasks/80dddd1c-4828-4f9b-b577-01d7862ee662
Verdict: Malicious activity
Analysis date: August 27, 2024, 06:36:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

E2F42B90A065CD4EB8F80940EA76EE12

SHA1:

4016E4480FAE6FA6E598E2799A93D33A833D006A

SHA256:

2D2F3C65D60A9DEA0BF14FB2DDA21385A5B8827B0EC96F56A2DAD003510C048B

SSDEEP:

49152:Y76x+FODWRf79GNUvAaS6SqmTBYvZGIAdIo3IAdlw25J8ox7UlHwQJWfaAANjKeB:Y76paRcNUvHSR5OvZGIAdIoYAzRJ8i7y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • ben.exe (PID: 5388)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • ben.exe (PID: 5388)
      • cmd.exe (PID: 2624)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2624)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 2664)

    • Starts CMD.EXE for commands execution

      • ben.exe (PID: 5388)

    • Hides command output

      • cmd.exe (PID: 2624)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 2624)

  • INFO

    • Reads the computer name

      • ben.exe (PID: 5388)
      • exe.exe (PID: 6788)
      • PLUGScheduler.exe (PID: 2664)
      • exe.exe (PID: 6272)
      • exe.exe (PID: 5744)

    • Creates files in the program directory

      • PLUGScheduler.exe (PID: 2664)

    • Reads the machine GUID from the registry

      • ben.exe (PID: 5388)
      • exe.exe (PID: 6788)
      • exe.exe (PID: 6272)
      • exe.exe (PID: 5744)

    • Manual execution by a user

      • Taskmgr.exe (PID: 6436)
      • exe.exe (PID: 6788)
      • exe.exe (PID: 6272)
      • Taskmgr.exe (PID: 6344)
      • exe.exe (PID: 5744)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 6436)

    • Checks supported languages

      • exe.exe (PID: 6788)
      • exe.exe (PID: 6272)
      • PLUGScheduler.exe (PID: 2664)
      • exe.exe (PID: 5744)
      • ben.exe (PID: 5388)

    • Creates files or folders in the user directory

      • ben.exe (PID: 5388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1978:10:21 08:56:43+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 1041920
InitializedDataSize: 5632
UninitializedDataSize: -
EntryPoint: 0x1004fe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.4.5.6
ProductVersionNumber: 3.4.5.6
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: >=;843;9D@HBI57A9?6F2I5
CompanyName: CFA89G=JA8:86?IBD
FileDescription: 2<IF3GE?>6D:52G58GE=?94=
FileVersion: 3.4.5.6
InternalName: ben.exe
LegalCopyright: Copyright © 1996 CFA89G=JA8:86?IBD
OriginalFileName: ben.exe
ProductName: 2<IF3GE?>6D:52G58GE=?94=
ProductVersion: 3.4.5.6
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
262
Monitored processes
13
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start ben.exe cmd.exe conhost.exe no specs ping.exe no specs ping.exe no specs plugscheduler.exe no specs exe.exe no specs taskmgr.exe no specs taskmgr.exe exe.exe no specs exe.exe installutil.exe no specs installutil.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
608ping 127.0.0.1 -n 41 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
3221225786
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1140"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeexe.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Version:
4.8.9037.0 built by: NET481REL1
2228ping 127.0.0.1 -n 41 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2624"cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\admin\AppData\Local\Temp\ben.exe" "C:\Users\admin\AppData\Roaming\exe.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Users\admin\AppData\Roaming\exe.exe"C:\Windows\SysWOW64\cmd.exe
ben.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2664"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
5388"C:\Users\admin\AppData\Local\Temp\ben.exe" C:\Users\admin\AppData\Local\Temp\ben.exe
explorer.exe
User:
admin
Company:
CFA89G=JA8:86?IBD
Integrity Level:
MEDIUM
Description:
2<IF3GE?>6D:52G58GE=?94=
Exit code:
0
Version:
3.4.5.6
Modules
Images
c:\users\admin\appdata\local\temp\ben.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5744"C:\Users\admin\AppData\Roaming\exe.exe" C:\Users\admin\AppData\Roaming\exe.exe
explorer.exe
User:
admin
Company:
CFA89G=JA8:86?IBD
Integrity Level:
HIGH
Description:
2<IF3GE?>6D:52G58GE=?94=
Version:
3.4.5.6
Modules
Images
c:\users\admin\appdata\roaming\exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6272"C:\Users\admin\AppData\Roaming\exe.exe" C:\Users\admin\AppData\Roaming\exe.exeexplorer.exe
User:
admin
Company:
CFA89G=JA8:86?IBD
Integrity Level:
MEDIUM
Description:
2<IF3GE?>6D:52G58GE=?94=
Exit code:
1
Version:
3.4.5.6
Modules
Images
c:\users\admin\appdata\roaming\exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6344"C:\WINDOWS\system32\taskmgr.exe" /0C:\Windows\System32\Taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
6436"C:\WINDOWS\system32\taskmgr.exe" /0C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
Total events
9 451
Read events
9 441
Write events
9
Delete events
1

Modification events

(PID) Process:(6436) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:delete valueName:Preferences
Value:
(PID) Process:(6436) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:writeName:Preferences
Value:
0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B00000034000000130300008C020000E80300000000000000000000000000000F000000010000000000000058AAFAD3F67F00000000000000000000000000002E0100001E0000008990000000000000FF00000001015002000000000D0000000000000098AAFAD3F67F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000B0AAFAD3F67F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000C8AAFAD3F67F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000E8AAFAD3F67F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000000ABFAD3F67F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000028ABFAD3F67F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000050ABFAD3F67F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000080AAFAD3F67F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000070ABFAD3F67F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000088ABFAD3F67F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000A8ABFAD3F67F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000C8ABFAD3F67F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D00000000000000F0ABFAD3F67F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000010ACFAD3F67F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000058AAFAD3F67F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000C8AAFAD3F67F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000B0AAFAD3F67F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000040ACFAD3F67F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000068ACFAD3F67F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E0000000000000090ACFAD3F67F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000B8ACFAD3F67F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000D8ACFAD3F67F0000000000000000000007000000460000001E00000098900000070000000000000001011001000000001100000000000000F8ACFAD3F67F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000028ABFAD3F67F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000058AAFAD3F67F0000000000000000000000000000D70000001E0000009E90000000000000FF0000000101500200000000120000000000000020ADFAD3F67F00000000000000000000FFFFFFFF2D0000001E0000009B90000001000000000000000004200100000000140000000000000040ADFAD3F67F00000000000000000000FFFFFFFF640000001E0000009D90000002000000000000000001100100000000130000000000000068ADFAD3F67F00000000000000000000FFFFFFFF640000001E0000009C900000030000000000000000011001000000000300000000000000B0AAFAD3F67F00000000000000000000FFFFFFFF640000001E0000008C90000004000000000000000102100000000000070000000000000050ABFAD3F67F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000080AAFAD3F67F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000070ABFAD3F67F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000088ABFAD3F67F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000A8ABFAD3F67F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000C8ABFAD3F67F000000000000000000000A00000064000000490000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000058AAFAD3F67F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000088ADFAD3F67F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000B8ADFAD3F67F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000E0ADFAD3F67F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000008AEFAD3F67F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000040AEFAD3F67F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000070AEFAD3F67F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000A0AEFAD3F67F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
(PID) Process:(6436) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder
Operation:writeName:exe.lnk
Value:
020000000000000000000000
(PID) Process:(6436) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:CCleaner Smart Cleaning
Value:
03000000388271EEFD58DA01
(PID) Process:(6436) Taskmgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32
Operation:writeName:SunJavaUpdateSched
Value:
030000006B0EA3ECFD58DA01
(PID) Process:(6436) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value:
030000002B498EF9C8B7D801
(PID) Process:(6436) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:OneDrive
Value:
03000000A31484EEAAD7D301
(PID) Process:(6436) Taskmgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:SoundMan
Value:
030000009F7A12EAC6B7D801
(PID) Process:(6436) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder
Operation:writeName:Send to OneNote.lnk
Value:
030000004443A9558E3CD901
(PID) Process:(6436) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:writeName:Skype for Desktop
Value:
03000000FD1CB01610C7D901
Executable files
1
Suspicious files
30
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
5388ben.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnklnk
MD5:123118C5E08A9C26FE5335016F074ADE
SHA256:407D882B35B93BA169D588FD97B78CE36DCE50F5BF3222716D8A6629ACDEBB0E
2664PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.028.etletl
MD5:C8834D365FAE073DEDE1F1620454CE71
SHA256:C6DD793EEE1D5551CA507A3C5BFFECA82DD3E29C63C2C6DD218A7D4BFB37046B
2664PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.032.etletl
MD5:2F36C598EBFF5B5CDD898C9691D6BCCB
SHA256:8900C5931ED8E0D1B68082B45CF2F4E8C1025D36825508E0804C916D781B9F50
2664PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.036.etletl
MD5:FA358BFEE9B4E1FFB7394D13CBBC4898
SHA256:6FF97BBF8A56286A4C71623829514CC14B7F8CBBCF09748D939F733968478A22
2664PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.031.etletl
MD5:868E79A00A8204448B2FFC4F4D5C08EA
SHA256:148FE324431CB4C826BCF0436147D946AC389A877732612CF40629048B8517DC
2664PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.025.etletl
MD5:FED961067F664B5381B65A534B7AB728
SHA256:652F31A8284AE812D1D9D24192BC800976BF74C240591C6AC443A28C4709FB7C
2664PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.026.etletl
MD5:A23907B6FDD47DCABFDFD7CF2FCD7671
SHA256:0C9C33FE9E984A2E5A70EBA51F36B9929A86199E424AF2F8080E1267B87DC970
2624cmd.exeC:\Users\admin\AppData\Roaming\exe.exeexecutable
MD5:E2F42B90A065CD4EB8F80940EA76EE12
SHA256:2D2F3C65D60A9DEA0BF14FB2DDA21385A5B8827B0EC96F56A2DAD003510C048B
2664PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.016.etletl
MD5:F9485F2BA891697F8B6CF8FB1E7F42C0
SHA256:69146D4AAEFB8609745B6CA780B48ABC66054AA3CDB8061248CF7B32F3B32617
2664PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.033.etletl
MD5:079890A8EC8D5CB6523FCEC2209780AA
SHA256:0E12D2D76DD738CE196BED522E35F75E2CC91294F78CDDCBE8CE7787AAA70049
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
55
DNS requests
34
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1436
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
6644
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEASGp3XRNgzfylEWBFW6KKc%3D
unknown
whitelisted
6644
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1028
SystemSettings.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1028
SystemSettings.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5100
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6056
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6856
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1436
svchost.exe
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1436
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6644
SIHClient.exe
13.85.23.86:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6644
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6644
SIHClient.exe
52.165.164.15:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 40.126.32.140
  • 20.190.160.17
  • 40.126.32.138
  • 40.126.32.74
  • 40.126.32.134
  • 40.126.32.136
  • 40.126.32.68
  • 40.126.32.72
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
www.bing.com
  • 104.126.37.154
  • 104.126.37.137
  • 104.126.37.160
  • 104.126.37.161
  • 104.126.37.145
  • 104.126.37.155
  • 104.126.37.139
  • 104.126.37.153
  • 104.126.37.152
  • 104.126.37.186
  • 104.126.37.128
  • 104.126.37.179
  • 104.126.37.130
  • 104.126.37.123
  • 104.126.37.131
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
rum8.perf.linkedin.com
  • 144.2.15.25
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ben.exe