File name:

some_malicious_file.bin

Full analysis: https://app.any.run/tasks/0951a92b-9cd3-4705-8cb0-7fb983513246
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 11, 2023, 05:37:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sodinokibi
revil
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

890A58F200DFFF23165DF9E1B088E58F

SHA1:

74E3D82F7EE81109E150DC41112CF95B3A4B5307

SHA256:

5F56D5748940E4039053F85978074BDE16D64BD5BA97F6F0026BA8172CB29E93

SSDEEP:

3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/yV:JvGWwbnWJ/yB9Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SODINOKIBI has been detected (YARA)

      • some_malicious_file.bin.exe (PID: 2580)

    • Sodinokibi ransom note is found

      • some_malicious_file.bin.exe (PID: 2580)

    • Renames files like ransomware

      • some_malicious_file.bin.exe (PID: 2580)

    • Drops the executable file immediately after the start

      • some_malicious_file.bin.exe (PID: 2580)
      • ninite.exe (PID: 3784)

    • Actions looks like stealing of personal data

      • some_malicious_file.bin.exe (PID: 2580)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • some_malicious_file.bin.exe (PID: 5832)
      • some_malicious_file.bin.exe (PID: 2580)
      • Ninite.exe (PID: 6980)

    • Application launched itself

      • some_malicious_file.bin.exe (PID: 5832)
      • Ninite.exe (PID: 6980)

    • Starts CMD.EXE for commands execution

      • some_malicious_file.bin.exe (PID: 2580)

    • Creates files like ransomware instruction

      • some_malicious_file.bin.exe (PID: 2580)

    • Reads security settings of Internet Explorer

      • ninite.exe (PID: 3784)
      • Ninite.exe (PID: 6988)

    • Checks Windows Trust Settings

      • ninite.exe (PID: 3784)
      • Ninite.exe (PID: 6988)

  • INFO

    • Checks supported languages

      • some_malicious_file.bin.exe (PID: 5832)
      • some_malicious_file.bin.exe (PID: 2580)
      • identity_helper.exe (PID: 7432)
      • tor-browser-windows-x86_64-portable-13.0.6.exe (PID: 7216)
      • identity_helper.exe (PID: 7272)
      • tor-browser-windows-i686-portable-13.0.6.exe (PID: 2232)
      • Ninite.exe (PID: 6980)
      • Ninite.exe (PID: 6988)
      • ninite.exe (PID: 3784)

    • Reads the computer name

      • some_malicious_file.bin.exe (PID: 5832)
      • some_malicious_file.bin.exe (PID: 2580)
      • identity_helper.exe (PID: 7432)
      • identity_helper.exe (PID: 7272)
      • tor-browser-windows-x86_64-portable-13.0.6.exe (PID: 7216)
      • tor-browser-windows-i686-portable-13.0.6.exe (PID: 2232)
      • Ninite.exe (PID: 6980)
      • Ninite.exe (PID: 6988)
      • ninite.exe (PID: 3784)

    • Reads Environment values

      • some_malicious_file.bin.exe (PID: 2580)

    • Creates files in the program directory

      • some_malicious_file.bin.exe (PID: 2580)

    • Dropped object may contain TOR URL's

      • some_malicious_file.bin.exe (PID: 2580)

    • Create files in a temporary directory

      • some_malicious_file.bin.exe (PID: 2580)
      • ninite.exe (PID: 3784)
      • Ninite.exe (PID: 6988)

    • Reads the software policy settings

      • some_malicious_file.bin.exe (PID: 2580)
      • ninite.exe (PID: 3784)
      • Ninite.exe (PID: 6988)

    • Application launched itself

      • chrome.exe (PID: 5116)
      • msedge.exe (PID: 7780)
      • msedge.exe (PID: 6220)

    • Manual execution by a user

      • tor-browser-windows-i686-portable-13.0.6.exe (PID: 2232)
      • chrome.exe (PID: 5116)
      • tor-browser-windows-x86_64-portable-13.0.6.exe (PID: 7216)
      • ninite.exe (PID: 3784)
      • notepad++.exe (PID: 5644)

    • Reads the machine GUID from the registry

      • some_malicious_file.bin.exe (PID: 2580)
      • ninite.exe (PID: 3784)
      • Ninite.exe (PID: 6988)

    • Drops the executable file immediately after the start

      • msedge.exe (PID: 6500)

    • Checks proxy server information

      • ninite.exe (PID: 3784)
      • Ninite.exe (PID: 6988)

    • Creates files or folders in the user directory

      • ninite.exe (PID: 3784)
      • Ninite.exe (PID: 6988)

    • Process checks computer location settings

      • Ninite.exe (PID: 6980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:06:10 17:29:32+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 41984
InitializedDataSize: 122368
UninitializedDataSize: -
EntryPoint: 0x36e6
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
181
Monitored processes
55
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start some_malicious_file.bin.exe no specs #SODINOKIBI some_malicious_file.bin.exe cmd.exe no specs conhost.exe no specs notepad++.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs tor-browser-windows-x86_64-portable-13.0.6.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs tor-browser-windows-i686-portable-13.0.6.exe no specs msedge.exe no specs ninite.exe ninite.exe no specs ninite.exe msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3200 --field-trial-handle=2144,i,5625435722149676100,1598640779075085567,131072 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
480"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=4272 --field-trial-handle=1912,i,4439144568559286963,9101377598279877351,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
112.0.5615.50
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
492"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 --field-trial-handle=2144,i,5625435722149676100,1598640779075085567,131072 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
804"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4376 --field-trial-handle=2144,i,5625435722149676100,1598640779075085567,131072 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
1224"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3352 --field-trial-handle=2052,i,604383710481855849,1515301329749091443,131072 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
111.0.1661.62
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\111.0.1661.62\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
1540"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=4448 --field-trial-handle=1912,i,4439144568559286963,9101377598279877351,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
112.0.5615.50
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1804"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=4604 --field-trial-handle=1912,i,4439144568559286963,9101377598279877351,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
112.0.5615.50
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1980"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=4888 --field-trial-handle=1912,i,4439144568559286963,9101377598279877351,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
112.0.5615.50
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2232"C:\Users\admin\Desktop\tor-browser-windows-i686-portable-13.0.6.exe" C:\Users\admin\Desktop\tor-browser-windows-i686-portable-13.0.6.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Tor Browser Installer
Exit code:
2
Modules
Images
c:\users\admin\desktop\tor-browser-windows-i686-portable-13.0.6.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2424"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4272 --field-trial-handle=1912,i,4439144568559286963,9101377598279877351,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
112.0.5615.50
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\112.0.5615.50\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
28 388
Read events
28 269
Write events
117
Delete events
2

Modification events

(PID) Process:(5832) some_malicious_file.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5832) some_malicious_file.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5832) some_malicious_file.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5832) some_malicious_file.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2580) some_malicious_file.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(2580) some_malicious_file.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2580) some_malicious_file.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2580) some_malicious_file.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2580) some_malicious_file.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5116) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
Executable files
9
Suspicious files
376
Text files
94
Unknown types
3

Dropped files

PID
Process
Filename
Type
2580some_malicious_file.bin.exeC:\BOOTNXTbinary
MD5:49601B28EDEC40EA750DC5AD29E27BA5
SHA256:4E37DF273AC6A1EA32A250A60EEF579BEB51DC4E27ACF75D5F4AC05B2C519DBF
2580some_malicious_file.bin.exeC:\bootTel.datbinary
MD5:E8F0CBC7BDE214EBF426158E17B3892C
SHA256:9A778BBC4A443E38931779B0951F13BC112276DE1287F00ACD3A963C86276267
2580some_malicious_file.bin.exeC:\bootTel.dat.z7ax635630binary
MD5:E8F0CBC7BDE214EBF426158E17B3892C
SHA256:9A778BBC4A443E38931779B0951F13BC112276DE1287F00ACD3A963C86276267
2580some_malicious_file.bin.exeC:\BOOTNXT.z7ax635630binary
MD5:49601B28EDEC40EA750DC5AD29E27BA5
SHA256:4E37DF273AC6A1EA32A250A60EEF579BEB51DC4E27ACF75D5F4AC05B2C519DBF
2580some_malicious_file.bin.exeC:\program files\z7ax635630-readme.txtbinary
MD5:1D3149773B733B9FC85AC7BBB8216FB9
SHA256:5D5D629F7B98020E0B5138BA20BFE26521DBEF8E241B1E6602C4EE99C30EAA03
2580some_malicious_file.bin.exeC:\users\z7ax635630-readme.txtbinary
MD5:1D3149773B733B9FC85AC7BBB8216FB9
SHA256:5D5D629F7B98020E0B5138BA20BFE26521DBEF8E241B1E6602C4EE99C30EAA03
2580some_malicious_file.bin.exeC:\found.000\dir0000.chk\z7ax635630-readme.txtbinary
MD5:1D3149773B733B9FC85AC7BBB8216FB9
SHA256:5D5D629F7B98020E0B5138BA20BFE26521DBEF8E241B1E6602C4EE99C30EAA03
2580some_malicious_file.bin.exeC:\found.000\z7ax635630-readme.txtbinary
MD5:1D3149773B733B9FC85AC7BBB8216FB9
SHA256:5D5D629F7B98020E0B5138BA20BFE26521DBEF8E241B1E6602C4EE99C30EAA03
2580some_malicious_file.bin.exeC:\found.000\file00000000.chk.z7ax635630binary
MD5:0BA2DED0B5F130583D8C81131E93FD18
SHA256:79CBC22343E4E62BA9045A92E24BB62457F3139D05B53D173B0FBB73EBA038A5
2580some_malicious_file.bin.exeC:\found.000\file00000007.chkbinary
MD5:779FD56317A6FCBC06161797CFAC5D32
SHA256:6DFF8EB307A620C0854E27D347D6661423304A18A52697D8958718512D845E5C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
236
DNS requests
246
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2876
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
7408
svchost.exe
HEAD
200
23.48.23.43:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1702689879&P2=404&P3=2&P4=bPAlI8Jm8NB5bWwWx65r2Y9lzo6u0cODn%2fuOoZfWD4TWDc%2b5odFQGsMG1XaeeWzYg58X1gA4e3qMYJUCOrLrzw%3d%3d
unknown
unknown
480
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
6364
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
5008
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
binary
313 b
unknown
480
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
binary
409 b
unknown
2344
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
binary
1.05 Kb
unknown
5828
chrome.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx
unknown
binary
242 Kb
unknown
2344
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicWinPCA_2010-07-06.crl
unknown
binary
552 b
unknown
2344
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.11 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3764
svchost.exe
239.255.255.250:1900
unknown
2876
svchost.exe
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
2876
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
6364
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6364
backgroundTaskHost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
480
SIHClient.exe
20.114.59.183:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
480
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
480
SIHClient.exe
20.242.39.171:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.160.17
  • 20.190.160.22
  • 40.126.32.136
  • 40.126.32.133
  • 40.126.32.134
  • 40.126.32.68
  • 40.126.32.138
  • 40.126.32.76
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
www.bing.com
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.133
  • 2.23.209.149
  • 2.23.209.187
  • 2.23.209.140
  • 104.126.37.178
  • 104.126.37.153
  • 104.126.37.160
  • 104.126.37.130
  • 104.126.37.128
  • 104.126.37.137
  • 104.126.37.144
  • 104.126.37.131
  • 104.126.37.163
whitelisted
craftingalegacy.com
  • 50.87.137.113
malicious
g2mediainc.com
  • 78.46.1.42
unknown
brinkdoepke.eu
  • 92.205.192.141
malicious

Threats

PID
Process
Class
Message
6156
msedge.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
6156
msedge.exe
A Network Trojan was detected
ET MALWARE Ransomware Decryptor Domain in DNS Query (decryptor .top)
6156
msedge.exe
A Network Trojan was detected
ET MALWARE Ransomware Decryptor Domain in DNS Query (decryptor .top)
6156
msedge.exe
A Network Trojan was detected
ET MALWARE Ransomware Decryptor Domain in DNS Query (decryptor .top)
6156
msedge.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2580
some_malicious_file.bin.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
2580
some_malicious_file.bin.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
2092
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .life TLD
2092
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .life TLD
2 ETPRO signatures available at the full report
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: error while getting certificate informations
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
some_malicious_file.bin