File name:

e521c01f-7f8d-48b0-83c5-4ee7fc13085e

Full analysis: https://app.any.run/tasks/dc6bab5d-bb02-4d7d-a81f-cb992a046b81
Verdict: Malicious activity
Threats:

Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, spread quickly and has been evolving since. It became well-known for its file encryption, offline capabilities, and sophisticated evasion techniques. It primarily targets enterprises, financial institutions, and government entities, encrypting their data and demanding ransom payments in Bitcoin. It also targets everyday users encrypting personal files (photos, documents) with the risk of their permanent loss.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 22:07:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
cerber
ransomware
evasion
possible-phishing
phish-url
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

2FD373CC9A80D11FB6A4E178753C41F0

SHA1:

1C80A30C4AF7F13D4EF2C5A77D972EC1442D4408

SHA256:

CF0C32C9E1BD90EF9F9EF7D1FC487BF6C2FA385B901ED6214D697D5555D923A2

SSDEEP:

3072:Y0vFtdgsgpKMAf9cebi3f7XtO7/fir9+ZoQR:jvzdgzA870/ax+Zo4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe (PID: 2604)
      • CertEnrollCtrl.exe (PID: 3096)

    • CERBER mutex has been found

      • HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe (PID: 2604)
      • CertEnrollCtrl.exe (PID: 3096)

    • Create files in the Startup directory

      • HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe (PID: 2604)

    • The process uses screensaver hijack for persistence

      • HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe (PID: 2604)
      • CertEnrollCtrl.exe (PID: 3096)

    • Starts CMD.EXE for self-deleting

      • HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe (PID: 2604)
      • CertEnrollCtrl.exe (PID: 3096)

    • Deletes shadow copies

      • CertEnrollCtrl.exe (PID: 3096)

    • Using BCDEDIT.EXE to modify recovery options

      • CertEnrollCtrl.exe (PID: 3096)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe (PID: 2604)

    • Starts itself from another location

      • HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe (PID: 2604)

    • Hides command output

      • cmd.exe (PID: 1120)
      • cmd.exe (PID: 3528)

    • Reads security settings of Internet Explorer

      • CertEnrollCtrl.exe (PID: 3096)

    • Reads the Internet Settings

      • CertEnrollCtrl.exe (PID: 3096)
      • WMIC.exe (PID: 3216)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3836)

    • Starts CMD.EXE for commands execution

      • HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe (PID: 2604)
      • CertEnrollCtrl.exe (PID: 3096)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1120)
      • cmd.exe (PID: 3528)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 1120)
      • cmd.exe (PID: 3528)

    • Possibly a phishing URL contains email has been detected

      • msedge.exe (PID: 4072)

    • Start notepad (likely ransomware note)

      • CertEnrollCtrl.exe (PID: 3096)

    • The process executes VB scripts

      • CertEnrollCtrl.exe (PID: 3096)

    • Checks for external IP

      • svchost.exe (PID: 1080)
      • CertEnrollCtrl.exe (PID: 3096)

  • INFO

    • Reads the machine GUID from the registry

      • HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe (PID: 2604)
      • CertEnrollCtrl.exe (PID: 3096)

    • Checks supported languages

      • HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe (PID: 2604)
      • CertEnrollCtrl.exe (PID: 3096)

    • Creates files or folders in the user directory

      • HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe (PID: 2604)
      • CertEnrollCtrl.exe (PID: 3096)

    • Reads the computer name

      • HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe (PID: 2604)
      • CertEnrollCtrl.exe (PID: 3096)

    • Checks proxy server information

      • CertEnrollCtrl.exe (PID: 3096)

    • Application launched itself

      • msedge.exe (PID: 4072)
      • msedge.exe (PID: 4060)
      • msedge.exe (PID: 2220)

    • Manual execution by a user

      • notepad.exe (PID: 3228)
      • msedge.exe (PID: 2220)
      • HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe (PID: 2604)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2017:07:07 21:58:04+00:00
ArchivedFileName: HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
86
Monitored processes
39
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe #CERBER heur-trojan-ransom.win32.zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe #CERBER certenrollctrl.exe cmd.exe no specs taskkill.exe no specs ping.exe no specs vssadmin.exe no specs vssvc.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs svchost.exe msedge.exe no specs notepad.exe no specs msedge.exe no specs wscript.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs taskkill.exe no specs ping.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
148ping -n 1 127.0.0.1 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
672"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2216 --field-trial-handle=1024,i,11339710318626279520,9540784204173723461,131072 --enable-features=msMicrosoftRootStoreUsed /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
948"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2468 --field-trial-handle=1024,i,11339710318626279520,9540784204173723461,131072 --enable-features=msMicrosoftRootStoreUsed /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1080C:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1120/d /c taskkill /t /f /im "HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe" > NULC:\Windows\System32\cmd.exeHEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1120"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3240 --field-trial-handle=1024,i,11339710318626279520,9540784204173723461,131072 --enable-features=msMicrosoftRootStoreUsed /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1168"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\# DECRYPT MY FILES #.vbs" C:\Windows\System32\wscript.exeCertEnrollCtrl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1180"C:\Windows\system32\vssadmin.exe" delete shadows /all /quietC:\Windows\System32\vssadmin.exeCertEnrollCtrl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1224"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\e521c01f-7f8d-48b0-83c5-4ee7fc13085e.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1276"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3232 --field-trial-handle=1024,i,11339710318626279520,9540784204173723461,131072 --enable-features=msMicrosoftRootStoreUsed /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
10 030
Read events
9 819
Write events
194
Delete events
17

Modification events

(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1224) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\e521c01f-7f8d-48b0-83c5-4ee7fc13085e.7z
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1224) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
6
Suspicious files
1 150
Text files
647
Unknown types
0

Dropped files

PID
Process
Filename
Type
3096CertEnrollCtrl.exeC:\Users\admin\Downloads\michiganhigh.pngbinary
MD5:4693B36D59A29649E42F705DE98D6B14
SHA256:6EF77C3E97B202C89E535722D5F6B0611E03DEE13D5154F4599AA4E4A037A36D
2604HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CertEnrollCtrl.lnkbinary
MD5:A53564110E6156D3F9D61C228F4F652F
SHA256:FE503036D7CF2BEFD2FDAD85D9D38E5853C04DF740046EA7DDA872D559838DE1
3096CertEnrollCtrl.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\json[1].htmhtml
MD5:E89F75F918DBDCEE28604D4E09DD71D7
SHA256:6DC9C7FC93BB488BB0520A6C780A8D3C0FB5486A4711ACA49B4C53FAC7393023
3096CertEnrollCtrl.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\json[1].jsonbinary
MD5:C0F25B1F2A7CF4E0DCFD1C530E98EC90
SHA256:FA52581A25BBE45EC9B9C8088FAA13EBC492E1C4F13AFB69C75102F7770FC3A8
3096CertEnrollCtrl.exeC:\Users\admin\AppData\Roaming\Notepad++\session.xmlbinary
MD5:ADF0F2F4724CF7D695243795C4A0DA8C
SHA256:FE9FF4791E781F66C4185091FEF317B108DEB9379FD4B9387BB9CF58C5B20A02
1224WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1224.29214\HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exeexecutable
MD5:9F69924870406BEB3EDAB0DA57C34611
SHA256:1A01FAA2B4305C864972AD1CD98BDEF35551430028FF9AB6D372F5A1AECBACB2
3096CertEnrollCtrl.exeC:\Users\admin\Pictures\ljTLZ179F5.cerberbinary
MD5:61D658FB40CCDCB09FADADD2DA35CDFC
SHA256:5767D3A1DAC3E7337E39502495206ED8C64BF76BBD7352A8F5E3BB8633CA7E96
2604HEUR-Trojan-Ransom.Win32.Zerber.pef-1a01faa2b4305c864972ad1cd98bdef35551430028ff9ab6d372f5a1aecbacb2.exeC:\Users\admin\AppData\Roaming\{6B977300-2501-F740-F2C0-799D6ACA21C2}\CertEnrollCtrl.exeexecutable
MD5:9F69924870406BEB3EDAB0DA57C34611
SHA256:1A01FAA2B4305C864972AD1CD98BDEF35551430028FF9AB6D372F5A1AECBACB2
3096CertEnrollCtrl.exeC:\Users\admin\Downloads\# DECRYPT MY FILES #.htmlhtml
MD5:CE80A857A3EDBA938C2BE95314D84DEA
SHA256:83619210806DB5CF758083BC28906AD2C500EC4FA4D65282D6B7245663D4A581
3096CertEnrollCtrl.exeC:\Users\admin\Documents\Outlook Files\CD1iKGL-hy.cerberbinary
MD5:6BFDCC263752DE216573C7F2975DEB2F
SHA256:13091094A50E8117D9AF561BC46F4AEC192F9F6FA4A450C45806E0E6D5527422
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
49 165
DNS requests
19
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3096
CertEnrollCtrl.exe
GET
200
15.197.148.33:80
http://freegeoip.net/json/
unknown
shared
3096
CertEnrollCtrl.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
3096
CertEnrollCtrl.exe
GET
403
34.117.59.81:80
http://ipinfo.io/json
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
3096
CertEnrollCtrl.exe
85.93.0.0:6892
unknown
3096
CertEnrollCtrl.exe
85.93.0.7:6892
unknown
3096
CertEnrollCtrl.exe
85.93.0.3:6892
unknown
3096
CertEnrollCtrl.exe
85.93.0.4:6892
unknown
3096
CertEnrollCtrl.exe
85.93.0.5:6892
unknown
3096
CertEnrollCtrl.exe
85.93.0.6:6892
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
  • 172.217.23.206
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
freegeoip.net
  • 15.197.148.33
  • 3.33.130.190
shared
ip-api.com
  • 208.95.112.1
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
cerberhhyed5frqa.azlto5.win
unknown
www.bing.com
  • 104.126.37.131
  • 104.126.37.145
whitelisted

Threats

PID
Process
Class
Message
3096
CertEnrollCtrl.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
1080
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
3096
CertEnrollCtrl.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
1080
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
1080
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
1080
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (freegeiop .net in DNS lookup)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
e521c01f-7f8d-48b0-83c5-4ee7fc13085e