File name:

92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe

Full analysis: https://app.any.run/tasks/60018138-a4f6-4b36-b00f-a6b26c2c56d2
Verdict: Malicious activity
Threats:

DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.

Malware Trends Tracker     >>>
Analysis date: May 21, 2024, 14:20:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
sinkhole
darkgate
spyware
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0B8BC95983C20FE0A4D6DA5D0D02BBF0

SHA1:

F0F1F39F581E64F48D857455E827E4AB99E176DD

SHA256:

92F6019A04B29F6CD676706E49A554E0885FF2FCD8C19734A33633395CBB888E

SSDEEP:

98304:6Wn8nBa4ZfPM5t0X1N9i22IT1PD2222222721vFdGBeQN0aFvGSSRkrlcfABLqI9:pX+fX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)
      • armsvc.exe (PID: 4284)

    • Creates a writable file in the system directory

      • armsvc.exe (PID: 4284)
      • msdtc.exe (PID: 6828)
      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)

    • Actions looks like stealing of personal data

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)
      • armsvc.exe (PID: 4284)
      • alg.exe (PID: 5860)
      • SearchIndexer.exe (PID: 7568)

    • Connects to the CnC server

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)

  • SUSPICIOUS

    • Executes as Windows Service

      • alg.exe (PID: 5860)
      • AppVClient.exe (PID: 4216)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 5092)
      • MicrosoftEdgeUpdate.exe (PID: 3104)
      • armsvc.exe (PID: 4284)
      • FXSSVC.exe (PID: 4216)
      • GameInputSvc.exe (PID: 6252)
      • FlashPlayerUpdateService.exe (PID: 712)
      • GoogleUpdate.exe (PID: 6464)
      • maintenanceservice.exe (PID: 6748)
      • msdtc.exe (PID: 6828)
      • PerceptionSimulationService.exe (PID: 7032)
      • perfhost.exe (PID: 7100)
      • MicrosoftEdgeUpdate.exe (PID: 7132)
      • PSEXESVC.exe (PID: 6244)
      • Locator.exe (PID: 6284)
      • snmptrap.exe (PID: 6796)
      • SensorDataService.exe (PID: 6520)
      • Spectrum.exe (PID: 6972)
      • ssh-agent.exe (PID: 6552)
      • TieringEngineService.exe (PID: 7200)
      • AgentService.exe (PID: 7296)
      • vds.exe (PID: 7332)
      • VSSVC.exe (PID: 7364)
      • WmiApSrv.exe (PID: 7480)
      • wbengine.exe (PID: 7428)
      • GoogleUpdate.exe (PID: 8108)

    • Reads the BIOS version

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)

    • Application launched itself

      • MicrosoftEdgeUpdate.exe (PID: 3104)
      • MicrosoftEdgeUpdate.exe (PID: 4484)
      • GameInputSvc.exe (PID: 6252)
      • GoogleUpdate.exe (PID: 6464)
      • GoogleUpdate.exe (PID: 6580)
      • MicrosoftEdgeUpdate.exe (PID: 7132)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5536)
      • MicrosoftEdgeUpdate.exe (PID: 5076)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6260)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6348)

    • Searches for installed software

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)

    • Executable content was dropped or overwritten

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)
      • armsvc.exe (PID: 4284)

    • Process drops legitimate windows executable

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)
      • armsvc.exe (PID: 4284)

    • Creates files in the driver directory

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)

    • Contacting a server suspected of hosting an CnC

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)

  • INFO

    • Checks supported languages

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5536)
      • MicrosoftEdgeUpdate.exe (PID: 4484)
      • MicrosoftEdgeUpdate.exe (PID: 5076)
      • MicrosoftEdgeUpdate.exe (PID: 3104)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6260)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6348)
      • elevation_service.exe (PID: 6376)
      • armsvc.exe (PID: 4284)
      • FlashPlayerUpdateService.exe (PID: 712)
      • MicrosoftEdgeUpdate.exe (PID: 6428)
      • GoogleUpdate.exe (PID: 6464)
      • GoogleUpdate.exe (PID: 6580)
      • elevation_service.exe (PID: 6644)
      • GoogleUpdate.exe (PID: 6668)
      • GoogleCrashHandler.exe (PID: 6708)
      • maintenanceservice.exe (PID: 6748)
      • GoogleCrashHandler64.exe (PID: 6768)
      • GoogleUpdate.exe (PID: 6848)
      • MicrosoftEdgeUpdate.exe (PID: 7132)
      • PSEXESVC.exe (PID: 6244)
      • MicrosoftEdgeUpdate.exe (PID: 5744)
      • GoogleUpdate.exe (PID: 8108)
      • ssh-agent.exe (PID: 6552)

    • Reads the machine GUID from the registry

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)
      • GoogleUpdate.exe (PID: 6668)
      • GoogleUpdate.exe (PID: 8108)

    • Reads the computer name

      • FlashPlayerUpdateService.exe (PID: 712)
      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)
      • MicrosoftEdgeUpdate.exe (PID: 3104)
      • MicrosoftEdgeUpdate.exe (PID: 5076)
      • MicrosoftEdgeUpdate.exe (PID: 4484)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5536)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6260)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6348)
      • elevation_service.exe (PID: 6376)
      • armsvc.exe (PID: 4284)
      • MicrosoftEdgeUpdate.exe (PID: 6428)
      • GoogleUpdate.exe (PID: 6464)
      • GoogleUpdate.exe (PID: 6580)
      • GoogleUpdate.exe (PID: 6668)
      • elevation_service.exe (PID: 6644)
      • GoogleCrashHandler.exe (PID: 6708)
      • maintenanceservice.exe (PID: 6748)
      • GoogleCrashHandler64.exe (PID: 6768)
      • GoogleUpdate.exe (PID: 6848)
      • MicrosoftEdgeUpdate.exe (PID: 7132)
      • PSEXESVC.exe (PID: 6244)
      • MicrosoftEdgeUpdate.exe (PID: 5744)
      • ssh-agent.exe (PID: 6552)
      • GoogleUpdate.exe (PID: 8108)

    • Reads the software policy settings

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)
      • GameInputSvc.exe (PID: 6308)
      • GoogleUpdate.exe (PID: 6668)
      • MicrosoftEdgeUpdate.exe (PID: 5744)
      • GoogleUpdate.exe (PID: 8108)
      • MicrosoftEdgeUpdate.exe (PID: 7132)

    • Create files in a temporary directory

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)

    • Creates files or folders in the user directory

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)
      • GoogleUpdate.exe (PID: 6668)

    • Creates files in the program directory

      • FXSSVC.exe (PID: 4216)
      • GoogleUpdate.exe (PID: 6464)
      • GoogleUpdate.exe (PID: 6580)
      • GoogleUpdate.exe (PID: 6668)
      • maintenanceservice.exe (PID: 6748)
      • GoogleUpdate.exe (PID: 6848)
      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)
      • SearchIndexer.exe (PID: 7568)
      • GoogleUpdate.exe (PID: 8108)

    • Executes as Windows Service

      • elevation_service.exe (PID: 6376)
      • elevation_service.exe (PID: 6644)
      • SearchIndexer.exe (PID: 7568)

    • Checks proxy server information

      • 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe (PID: 6112)

    • Checks transactions between databases Windows and Oracle

      • msdtc.exe (PID: 6828)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 5744)

    • Reads the time zone

      • TieringEngineService.exe (PID: 7200)

    • Reads security settings of Internet Explorer

      • SearchProtocolHost.exe (PID: 7852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:04:22 21:17:20+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 750080
InitializedDataSize: 1796608
UninitializedDataSize: -
EntryPoint: 0x6ee6e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.1.4.89
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Malwarebytes
FileDescription: Malwarebytes Setup
FileVersion: 5.1.4.89
LegalCopyright: Copyright (C) 2017 - 2024 Malwarebytes, Inc. All rights reserved.
InternalName: MBSetup.exe
OriginalFileName: MBSetup.exe
ProductName: Malwarebytes
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
171
Monitored processes
49
Malicious processes
3
Suspicious processes
6

Behavior graph

Click at the process to see the details
start 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe armsvc.exe flashplayerupdateservice.exe no specs alg.exe appvclient.exe no specs diagnosticshub.standardcollector.service.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdate.exe no specs microsoftedgeupdate.exe no specs fxssvc.exe no specs microsoftedgeupdatecomregistershell64.exe no specs gameinputsvc.exe no specs microsoftedgeupdatecomregistershell64.exe no specs gameinputsvc.exe no specs microsoftedgeupdatecomregistershell64.exe no specs elevation_service.exe no specs microsoftedgeupdate.exe no specs googleupdate.exe no specs googleupdate.exe no specs elevation_service.exe no specs googleupdate.exe googlecrashhandler.exe no specs maintenanceservice.exe no specs googlecrashhandler64.exe no specs msdtc.exe no specs googleupdate.exe no specs perceptionsimulationservice.exe no specs perfhost.exe no specs microsoftedgeupdate.exe psexesvc.exe no specs locator.exe no specs microsoftedgeupdate.exe sensordataservice.exe no specs snmptrap.exe no specs spectrum.exe no specs ssh-agent.exe no specs tieringengineservice.exe no specs agentservice.exe no specs vds.exe no specs vssvc.exe no specs wbengine.exe no specs wmiapsrv.exe no specs searchindexer.exe googleupdate.exe Delivery Optimization User no specs filecoauth.exe no specs searchprotocolhost.exe no specs searchfilterhost.exe no specs 92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
712C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeservices.exe
User:
SYSTEM
Company:
Adobe
Integrity Level:
SYSTEM
Description:
Adobe® Flash® Player Update Service 32.0 r0
Exit code:
0
Version:
32,0,0,465
3104"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svcC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.147.37
3872C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
4216C:\WINDOWS\system32\AppVClient.exeC:\Windows\System32\AppVClient.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Application Virtualization Client Service
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
4216C:\WINDOWS\system32\fxssvc.exeC:\Windows\System32\FXSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Fax Service
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
4284"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
services.exe
User:
SYSTEM
Company:
Adobe Inc.
Integrity Level:
SYSTEM
Description:
Acrobat Update Service
Version:
1.824.460.1042
4288"C:\Users\admin\Desktop\92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe" C:\Users\admin\Desktop\92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exeexplorer.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
MEDIUM
Description:
Malwarebytes Setup
Exit code:
3221226540
Version:
5.1.4.89
4484"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /cC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Update
Version:
1.3.147.37
5076"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.147.37
5092C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft (R) Diagnostics Hub Standard Collector
Version:
11.00.19041.3930 (WinBuild.160101.0800)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
149
Suspicious files
4
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
611292f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:5F9A48CE19855B619ABF06A0CDF84AFD
SHA256:6E737B809FCA61C6D05800A611B588563B0A50B7600F7BEF122EF1887818012E
611292f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exeC:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeexecutable
MD5:FDA5A5FCDADB9C76744B22B2E13708B9
SHA256:817A668F4908DB7CD2DA88C28E7140A674824039DA6E2CB137DB3E4E81F6D1B1
611292f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exeC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeexecutable
MD5:06E88025AE1C4ED0302F58B5819ECF16
SHA256:3656CA54A4E017E345E8E72283B0A4F09D9BE7300F8F138B44A0F087BF3BD0C7
611292f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exeC:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeexecutable
MD5:226E16E60BFA65098DABA2FCC09F889C
SHA256:E99D65605F7AE171F25066D86588CC0E52AF116EDFCC268CCC2DB74F95486208
611292f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exeC:\WINDOWS\System32\alg.exeexecutable
MD5:AF4622B6ABA246A90C1F92F73E0E3FDA
SHA256:D1E2D4BB04B5B2DD352895BEBDAA3A93F425300E40DD0F48D936456A04D3372A
611292f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exeC:\WINDOWS\system32\fxssvc.exeexecutable
MD5:92BA8C844DB140332E4C09543CEF3203
SHA256:A989158172490B845D22948608D796694984D035C288C546CF0AEB7BB9B69AFF
611292f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeexecutable
MD5:BB1E72671BDA50ED5F5406AAFDFB64BD
SHA256:5A543B8A49EC9045017344794AA94EA8CB056C695F718DA252B343DBE1177DFF
611292f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exeC:\WINDOWS\system32\AppVClient.exeexecutable
MD5:035ED1A978C55505916448212DD941AE
SHA256:E366F0BB327A7DCA10C1643903D560BDD431C4371697026F0F33FF6A63E8D4E4
3104MicrosoftEdgeUpdate.exeC:\PROGRAMDATA\MICROSOFT\EDGEUPDATE\LOG\MICROSOFTEDGEUPDATE.LOGtext
MD5:8A2F889384E6C666FD97F74BC0C48E1F
SHA256:B567BBBDEDADBCA6BE6A6AA85684182D006FB06DE40B249F063FD5F881DF83E9
611292f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exeC:\Program Files\Google\Chrome\Application\122.0.6261.70\elevation_service.exeexecutable
MD5:BEE89FB69AA27DE9B94175E47A0B9FAC
SHA256:CB7DBF800EA9CCB6D037EFA8476B3A11A8968C03167F6DDD3EDF13817118215A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
194
TCP/UDP connections
65
DNS requests
33
Threats
34

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4284
armsvc.exe
POST
200
44.221.84.105:80
http://npukfztj.biz/rigltvaia
unknown
unknown
4284
armsvc.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/oa
unknown
unknown
4428
RUXIMICS.exe
GET
200
92.123.77.26:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4428
RUXIMICS.exe
GET
200
95.100.245.144:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4284
armsvc.exe
POST
54.157.24.8:80
http://przvgke.biz/yvd
unknown
unknown
4284
armsvc.exe
POST
200
54.244.188.177:80
http://cvgrf.biz/ebanaqrokjquwa
unknown
unknown
6668
GoogleUpdate.exe
GET
204
142.250.185.206:443
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.36.372&applang=&machine=1&version=1.3.36.372&userid=&osversion=10.0&servicepack=
unknown
4284
armsvc.exe
POST
200
35.91.124.102:80
http://pywolwnvd.biz/tswjewijdfokpvf
unknown
unknown
6112
92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe
POST
200
35.91.124.102:80
http://pywolwnvd.biz/tswjewijdfokpvf
unknown
unknown
6112
92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe
POST
18.141.10.107:80
http://ssbzmoy.biz/fkgftkhhaqorgr
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5228
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4428
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6112
92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe
54.203.47.28:443
api2.amplitude.com
AMAZON-02
US
unknown
6112
92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe
35.91.124.102:80
pywolwnvd.biz
AMAZON-02
US
unknown
4364
svchost.exe
239.255.255.250:1900
unknown
4284
armsvc.exe
35.91.124.102:80
pywolwnvd.biz
AMAZON-02
US
unknown
6668
GoogleUpdate.exe
142.250.185.206:443
clients2.google.com
GOOGLE
US
whitelisted
6112
92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe
18.141.10.107:80
ssbzmoy.biz
AMAZON-02
SG
unknown
4284
armsvc.exe
18.141.10.107:80
ssbzmoy.biz
AMAZON-02
SG
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
api2.amplitude.com
  • 54.203.47.28
  • 52.42.215.144
  • 35.82.100.224
  • 44.228.164.153
  • 44.224.18.40
  • 54.68.198.205
  • 54.184.226.50
  • 54.186.195.209
whitelisted
pywolwnvd.biz
  • 35.91.124.102
unknown
clients2.google.com
  • 142.250.185.206
whitelisted
ssbzmoy.biz
  • 18.141.10.107
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
crl.microsoft.com
  • 92.123.77.26
  • 2.19.194.200
whitelisted
msedge.api.cdp.microsoft.com
  • 20.7.47.135
whitelisted
www.microsoft.com
  • 95.100.245.144
whitelisted
cvgrf.biz
  • 54.244.188.177
malicious

Threats

PID
Process
Class
Message
2184
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
2184
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
2184
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
6112
92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
6112
92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
4284
armsvc.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
4284
armsvc.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
2184
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
2184
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
92f6019a04b29f6cd676706e49a554e0885ff2fcd8c19734a33633395cbb888e.exe