File name:

2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber

Full analysis: https://app.any.run/tasks/f12a0132-e0dd-4fac-b2bd-b2043cefdc45
Verdict: Malicious activity
Threats:

Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, spread quickly and has been evolving since. It became well-known for its file encryption, offline capabilities, and sophisticated evasion techniques. It primarily targets enterprises, financial institutions, and government entities, encrypting their data and demanding ransom payments in Bitcoin. It also targets everyday users encrypting personal files (photos, documents) with the risk of their permanent loss.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 08:02:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
cerber
ransomware
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

C148DC43BC2CCD6D2FF2DCE23BF51B14

SHA1:

42F33AC515A422B25A38F3BD81D5B673F83549CA

SHA256:

40ABBA5DE032810CC879ECD7BD604405E5A20344C293279CFFB9A45B5E2B8BB2

SSDEEP:

6144:uhqYGocUxsoE57//z340Vas56tU0HlXNjrzNef5U:uhxGV+soE57Z96bX1le

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CERBER mutex has been found

      • 2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe (PID: 7760)

    • Actions looks like stealing of personal data

      • 2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe (PID: 7760)

    • CERBER has been detected (SURICATA)

      • mshta.exe (PID: 7200)
      • msedge.exe (PID: 1096)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • 2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe (PID: 7760)

    • Start notepad (likely ransomware note)

      • 2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe (PID: 7760)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 5508)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 5508)

  • INFO

    • Checks supported languages

      • 2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe (PID: 7760)
      • identity_helper.exe (PID: 2332)

    • Creates files or folders in the user directory

      • 2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe (PID: 7760)

    • Reads the computer name

      • 2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe (PID: 7760)
      • identity_helper.exe (PID: 2332)

    • Reads the machine GUID from the registry

      • 2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe (PID: 7760)

    • Create files in a temporary directory

      • 2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe (PID: 7760)

    • Checks proxy server information

      • mshta.exe (PID: 7200)
      • slui.exe (PID: 2656)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7200)

    • Process checks computer location settings

      • 2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe (PID: 7760)

    • Reads Environment values

      • identity_helper.exe (PID: 2332)

    • Application launched itself

      • msedge.exe (PID: 2432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:05:18 09:35:03+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 55296
InitializedDataSize: 146432
UninitializedDataSize: -
EntryPoint: 0x948e
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
34
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #CERBER 2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe #CERBER mshta.exe notepad.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs ping.exe no specs slui.exe msedge.exe msedge.exe no specs msedge.exe no specs #CERBER msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1096"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2508 --field-trial-handle=2396,i,8791067237249746561,11821684151141599805,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2244"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5140 --field-trial-handle=2396,i,8791067237249746561,11821684151141599805,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2332"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6164 --field-trial-handle=2396,i,8791067237249746561,11821684151141599805,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2432"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://p27dokhpz2n7nvgr.tor2web.org/319B-6ACE-EE15-0006-4420C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2656C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2852"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3492 --field-trial-handle=2396,i,8791067237249746561,11821684151141599805,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3396"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6472 --field-trial-handle=2396,i,8791067237249746561,11821684151141599805,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3896"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7040 --field-trial-handle=2396,i,8791067237249746561,11821684151141599805,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3976"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=6880 --field-trial-handle=2396,i,8791067237249746561,11821684151141599805,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5020"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6164 --field-trial-handle=2396,i,8791067237249746561,11821684151141599805,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
Total events
13 275
Read events
13 255
Write events
20
Delete events
0

Modification events

(PID) Process:(7760) 2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids
Operation:writeName:txtfile
Value:
(PID) Process:(7760) 2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\OpenWithProgids
Operation:writeName:htafile
Value:
(PID) Process:(7200) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7200) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7200) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7200) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(2432) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2432) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2432) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2432) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
Executable files
5
Suspicious files
1 052
Text files
126
Unknown types
2

Dropped files

PID
Process
Filename
Type
77602025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\setup.def.en-us_professional2019retail_04640089-6fb7-4a4d-ae33-18e0c4a879d8_tx_db_platform_def_.exe_Rules.xmlbinary
MD5:24AFB7CB1CC6E734CF3EA3242BC9C524
SHA256:DECB261B53DD2E65749B77F83CF607361CA691D02DC49B5777FD5E379176CD19
77602025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exeC:\Users\admin\AppData\Local\Temp\bb926e54\40fd.tmptext
MD5:319B6ACEEE15846F0B750A195FB13923
SHA256:D9FC0DFDE259BA3131FF808590C2204496FC5976CE6F54667A4482F5B15456FD
77602025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules.xmlbinary
MD5:88428DA5B31FB6E7DE98E67793B48BE3
SHA256:10774B5FDCD4C60491C722FA614B6B8443ED11364420A675F991CE56E27AC9AD
77602025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\g-LIMA7Hxh.ae90binary
MD5:88428DA5B31FB6E7DE98E67793B48BE3
SHA256:10774B5FDCD4C60491C722FA614B6B8443ED11364420A675F991CE56E27AC9AD
77602025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exeC:\Users\admin\AppData\Local\Temp\bb926e54\e3ca.tmpbinary
MD5:13493A4F445CAD0F813A11C5A9DCC8C6
SHA256:2567C7110572CF62959B7F57813C15DC89A11156439BEB8E3DDB7BF284DAD021
77602025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\_R_E_A_D___T_H_I_S___YXHD6ZD_.htahtml
MD5:C07AA21EF273654FBDA572EF87A12EEF
SHA256:36D0B36C6B3EB807B60403A0522B2E773D4831E25592080633DF1DEC80FD38C7
77602025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AWriuTPZwZ.ae90binary
MD5:2A5108097CC3153F16D573D42F6F7174
SHA256:9B7607E633858ED73C62434B209161E08B70DE50923357A1A63DC6423ED607C3
77602025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xmlbinary
MD5:3BB943F59D9FE4A14EBDC34AD5FC60F3
SHA256:6CB67A6EEC704E742CD0D899278382714A0763D7614E84D768A934D9CF6BB733
77602025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\_R_E_A_D___T_H_I_S___X9ZUPC3Y_.txttext
MD5:35249F8A0531BA97D237EB8F097FD37F
SHA256:830162B6D0CA1BDCE69EEE0793761C9602FB8F735848F36C5608A586FC7E19A8
77602025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\msaccess.exe_Rules.xmlbinary
MD5:2A5108097CC3153F16D573D42F6F7174
SHA256:9B7607E633858ED73C62434B209161E08B70DE50923357A1A63DC6423ED607C3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
60
TCP/UDP connections
2 259
DNS requests
51
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
88.221.110.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6456
RUXIMICS.exe
GET
200
88.221.110.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7408
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7408
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7408
SIHClient.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250325T080240Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=010b893449274dd8bcf9d27ea397c439&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3968641&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1359171&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
1.38 Kb
whitelisted
POST
200
40.126.31.128:443
https://login.live.com/RST2.srf
unknown
xml
1.35 Kb
whitelisted
POST
400
40.126.31.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6456
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6456
RUXIMICS.exe
88.221.110.122:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
88.221.110.122:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7760
2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber.exe
178.33.158.0:6893
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.181.238
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
crl.microsoft.com
  • 88.221.110.122
  • 88.221.110.114
  • 2.16.164.120
  • 2.16.164.72
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.74
  • 20.190.160.5
  • 40.126.32.138
  • 20.190.160.17
  • 40.126.32.136
  • 40.126.32.68
  • 40.126.32.133
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
api.blockcypher.com
  • 104.20.98.10
  • 172.67.17.223
  • 104.20.99.10
whitelisted

Threats

PID
Process
Class
Message
7200
mshta.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] Cerber Blockchain has been detected
A Network Trojan was detected
RANSOMWARE [ANY.RUN] Cerber Blockchain has been detected
A Network Trojan was detected
RANSOMWARE [ANY.RUN] Cerber Blockchain has been detected
1096
msedge.exe
A Network Trojan was detected
ET MALWARE Ransomware/Cerber Onion Domain Lookup
1096
msedge.exe
A Network Trojan was detected
ET MALWARE Ransomware/Cerber Onion Domain Lookup
1096
msedge.exe
A Network Trojan was detected
ET MALWARE Ransomware/Cerber Onion Domain Lookup
1096
msedge.exe
A Network Trojan was detected
ET MALWARE Ransomware/Cerber Onion Domain Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-25_c148dc43bc2ccd6d2ff2dce23bf51b14_cerber