File name:

agent.exe

Full analysis: https://app.any.run/tasks/efa6895f-2d4f-4907-82e0-1c6a626ee0b9
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: August 19, 2024, 12:20:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
sodinokibi
revil
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

561CFFBABA71A6E8CC1CDCEDA990EAD4

SHA1:

5162F14D75E96EDB914D1756349D6E11583DB0B0

SHA256:

D55F983C994CAA160EC63A59F6B4250FE67FB3E8C43A388AEC60A4A6978E9F1E

SSDEEP:

24576:vMz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:kfF7k4pB/JYPIsAE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Antivirus name has been found in the command line (generic signature)

      • MsMpEng.exe (PID: 6944)

    • SODINOKIBI has been detected (YARA)

      • MsMpEng.exe (PID: 6944)

    • Renames files like ransomware

      • MsMpEng.exe (PID: 6944)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • agent.exe (PID: 6928)

    • Process drops legitimate windows executable

      • agent.exe (PID: 6928)

    • Starts a Microsoft application from unusual location

      • MsMpEng.exe (PID: 6944)

    • Executable content was dropped or overwritten

      • agent.exe (PID: 6928)

    • Uses NETSH.EXE to change the status of the firewall

      • MsMpEng.exe (PID: 6944)

    • Creates file in the systems drive root

      • MsMpEng.exe (PID: 6944)

    • Creates files like ransomware instruction

      • MsMpEng.exe (PID: 6944)

  • INFO

    • Create files in a temporary directory

      • agent.exe (PID: 6928)
      • MsMpEng.exe (PID: 6944)

    • Failed to create an executable file in Windows directory

      • agent.exe (PID: 6928)

    • Checks supported languages

      • agent.exe (PID: 6928)
      • MsMpEng.exe (PID: 6944)

    • Reads the computer name

      • MsMpEng.exe (PID: 6944)

    • Reads Environment values

      • MsMpEng.exe (PID: 6944)

    • Reads security settings of Internet Explorer

      • netsh.exe (PID: 7104)
      • notepad.exe (PID: 4436)

    • Dropped object may contain TOR URL's

      • MsMpEng.exe (PID: 6944)

    • Manual execution by a user

      • notepad.exe (PID: 4436)
      • msedge.exe (PID: 6248)

    • Application launched itself

      • msedge.exe (PID: 6248)
      • msedge.exe (PID: 5064)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 6248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:07:01 12:40:29+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.23
CodeSize: 45568
InitializedDataSize: 863232
UninitializedDataSize: -
EntryPoint: 0x13ef
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
180
Monitored processes
46
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start agent.exe #SODINOKIBI msmpeng.exe no specs netsh.exe no specs conhost.exe no specs unsecapp.exe no specs notepad.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4900 --field-trial-handle=1344,i,11868069125041312688,7978687670382813675,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
1048"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3240 --field-trial-handle=1344,i,11868069125041312688,7978687670382813675,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
1076"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4956 --field-trial-handle=1344,i,11868069125041312688,7978687670382813675,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
1128"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2824 --field-trial-handle=2400,i,2833361975790833105,11710494533830071684,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1280"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5596 --field-trial-handle=1344,i,11868069125041312688,7978687670382813675,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
1452"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5072 --field-trial-handle=1344,i,11868069125041312688,7978687670382813675,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
1928"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2504 --field-trial-handle=2400,i,2833361975790833105,11710494533830071684,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1944"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3996 --field-trial-handle=2400,i,2833361975790833105,11710494533830071684,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
2468"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5024 --field-trial-handle=2400,i,2833361975790833105,11710494533830071684,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
3144"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5788 --field-trial-handle=2400,i,2833361975790833105,11710494533830071684,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Total events
8 648
Read events
8 626
Write events
21
Delete events
1

Modification events

(PID) Process:(6944) MsMpEng.exeKey:HKEY_CURRENT_USER\SOFTWARE\BlackLivesMatter
Operation:writeName:Ed7
Value:
F7F020C8BBD612F8966EFB9AC91DA4D10D78D1EF4B649E61C2B9ADA3FCC2C853
(PID) Process:(6944) MsMpEng.exeKey:HKEY_CURRENT_USER\SOFTWARE\BlackLivesMatter
Operation:writeName:QIeQ
Value:
A1BC7AA7402B8EAC331D8C3953A090B21AB19184A4022F501A14C37CFC6D5177
(PID) Process:(6944) MsMpEng.exeKey:HKEY_CURRENT_USER\SOFTWARE\BlackLivesMatter
Operation:writeName:96Ia6
Value:
A8986D30FACF67CDBBFC9D6A7EDCF82E4226EF0B5052C49C9C1A606A008A8328F05E8AA2768ED3E2B6F3E86CDB9C4E96F9A764919EC2C98FB3AC1C39391C4B633A31046018FE24B674BB8F22FDEA11F0083A2AAA6EE3CEE3
(PID) Process:(6944) MsMpEng.exeKey:HKEY_CURRENT_USER\SOFTWARE\BlackLivesMatter
Operation:writeName:Ucr1RB
Value:
259382A8B2C9E7B9F957DC642FB80ACD2491FED091406F3CE85AA585476586BF0C37A0F5322210FD763565BE94C5442EAEC6A9E2C3C110F577B9E24941E7C734CD19D662AE4A55930FBDDE0E0042AA6D90FD3FE77E4CA2BE
(PID) Process:(6944) MsMpEng.exeKey:HKEY_CURRENT_USER\SOFTWARE\BlackLivesMatter
Operation:writeName:wJWsTYE
Value:
.rmz04v787
(PID) Process:(6944) MsMpEng.exeKey:HKEY_CURRENT_USER\SOFTWARE\BlackLivesMatter
Operation:writeName:JmfOBvhb
Value:
FF3D6C5A9735493E307C4AD74A2BB98CE1B641B4877B030A32DAF5A6618C86B1AAD5144594FE9A552BB1C6E5841EB97ED75387461D00451A1D01AD1D5FA59B60AFF6CA0AE3581DE47716C155C9B0327C805DF57118FF237117F19CEB0C2464105D54D3DFF30A6AA68A4DB8C63EC2FB60010ED3A8A07B9BC1B5C1DB4C3DD420CB9FDE40F81333B55853908A3B0160E8F2709F5EB6C5FA51439AFF8C1B0BF0F282412C7477D99423203AC8AE498552A08EF72C2C5E0B34499C1E001A47EA6F9E04147D08510BD6E68BFB2C7E243A401C584A9E7E78DE0A381CE7639D3D1F741551BFF5947356A782BD1466D9F6753B23CD155BBC25FE92E42F3B8A30C784D8D53F00A1DA84DB7C19ADA24CED3BD2C32A8DF30C4A5F1A36C9692470E2B1F25A99144FEADBBD8CD733E65F65044B1045F263082FCF3B07124651889DAED2043D6E7EDE9D67075FF56DECFD3E301010B6F606A5D1CD5E3CBAD7098C0484CBDE49FBD01933E4274A27E3360FFCF99730B208A1476B6BF397B57D7BB7629D31F789E57E1557BB03468E7C62AE094B218C820D47D5E4895997096FFBC88C7C0D5EAB11ACE7A6845E5F139833245FFC6EC774F375498FC0B494373EC4149C7D42F94C6EB2ECF0EEB98AA91A1DFFC09905D6318EDE59829B7C74BF470C9571E16D98F19F7AAB730DB4812A3FCE18AF41FB18BAACC277D061A7833D301C143D1C36F3F4ADE07B78010D9F1B94E488D445D507FD936C5FC48BAAECD35D565887DC2996D5A49FAC53992979093393ECECFACBD1999224D98A0B1AD98D2414AAE2F944F9C1D010427C4E3667A8DD1DC3A876428122B7E6A30174E9F3FA48B1C5E974B945D70B74324439263B6783E39094606091A65EC073718BA42148CE476F41DEC0F19A3F5CD9A2A9E8F45616FCD17E78E3FDCD6D8AECBD72D2F7025FFEF1D2C812884AB62D2F1950BC47E3C0AA6254C869783E1FB234D2E4F37C61C9E27215D7F4CD3D653EBED29C107FD6394B1963D2E4AD255C10201B94A6098F02BDEB68B859F1ECA35772C08FE9AF96239F8E0A87F7DF1891819D631AE6AE747EC71B629230318EB1002B76E6A6D0E22E65F62627EE5BF383997ECE40C4981A709E00C2FCF45CB0D2C2F8555401D810E863FCC203328BB742237EA0742F95D936FE99EC8F74F3C7A079D40313C33EADB71158AA5643F160CC23F59059FE688AD63E8978CADA1CB79BD4D19C4678EA77D971BC6D50E8DCE34ECD5A9F2D71BF99528C41178B4E3A87CC87EA055F1DF8421D6D6E43D0C36C660A86E1EFDDD7F5CBEE108D6D3F314DF51DE5EBEE5D49F6C8BE8171767C8BD148B6ED7B14A4064A18CFEA4006A8B82434A47E4E84F381361E088C056F488977247EA0FC32C8461F13025898A9DD2B9F2CFE20EB7D472D1D4E926D
(PID) Process:(6248) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6248) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6248) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(6248) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
Executable files
20
Suspicious files
479
Text files
108
Unknown types
1

Dropped files

PID
Process
Filename
Type
6928agent.exeC:\Users\admin\AppData\Local\Temp\MsMpEng.exeexecutable
MD5:8CC83221870DD07144E63DF594C391D9
SHA256:33BC14D231A4AFAA18F06513766D5F69D8B88F1E697CD127D24FB4B72AD44C7A
6944MsMpEng.exeC:\Users\Public\rmz04v787-readme.txtbinary
MD5:48100CC5DC60363176243B31A509F35B
SHA256:026B47AE1B22C358535A3B30C9D7809A8CD6D5DE231ABD647B0F713C09361500
6944MsMpEng.exeC:\Users\admin\Desktop\rmz04v787-readme.txtbinary
MD5:48100CC5DC60363176243B31A509F35B
SHA256:026B47AE1B22C358535A3B30C9D7809A8CD6D5DE231ABD647B0F713C09361500
6944MsMpEng.exeC:\Users\admin\Contacts\rmz04v787-readme.txtbinary
MD5:48100CC5DC60363176243B31A509F35B
SHA256:026B47AE1B22C358535A3B30C9D7809A8CD6D5DE231ABD647B0F713C09361500
6944MsMpEng.exeC:\Users\admin\.ms-ad\rmz04v787-readme.txtbinary
MD5:48100CC5DC60363176243B31A509F35B
SHA256:026B47AE1B22C358535A3B30C9D7809A8CD6D5DE231ABD647B0F713C09361500
6944MsMpEng.exeC:\Users\admin\rmz04v787-readme.txtbinary
MD5:48100CC5DC60363176243B31A509F35B
SHA256:026B47AE1B22C358535A3B30C9D7809A8CD6D5DE231ABD647B0F713C09361500
6944MsMpEng.exeC:\Users\admin\Favorites\rmz04v787-readme.txtbinary
MD5:48100CC5DC60363176243B31A509F35B
SHA256:026B47AE1B22C358535A3B30C9D7809A8CD6D5DE231ABD647B0F713C09361500
6944MsMpEng.exeC:\Users\admin\Documents\rmz04v787-readme.txtbinary
MD5:48100CC5DC60363176243B31A509F35B
SHA256:026B47AE1B22C358535A3B30C9D7809A8CD6D5DE231ABD647B0F713C09361500
6928agent.exeC:\Users\admin\AppData\Local\Temp\mpsvc.dllexecutable
MD5:A47CF00AEDF769D60D58BFE00C0B5421
SHA256:8DD620D9AEB35960BB766458C8890EDE987C33D239CF730F93FE49D90AE759DD
6944MsMpEng.exeC:\Users\admin\3D Objects\rmz04v787-readme.txtbinary
MD5:48100CC5DC60363176243B31A509F35B
SHA256:026B47AE1B22C358535A3B30C9D7809A8CD6D5DE231ABD647B0F713C09361500
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
43
DNS requests
139
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
32
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6892
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6480
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
304
2.16.241.13:80
http://apps.identrust.com/roots/dstrootcax3.p7c
unknown
whitelisted
GET
304
2.23.197.184:80
http://x1.i.lencr.org/
unknown
whitelisted
GET
304
2.23.197.184:80
http://r3.i.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4128
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5504
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
32
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
32
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6480
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
  • 216.58.206.78
  • 142.250.185.238
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.49.150.241
whitelisted
client.wns.windows.com
  • 40.113.103.199
  • 40.115.3.253
whitelisted
login.live.com
  • 20.190.160.20
  • 20.190.160.17
  • 40.126.32.74
  • 40.126.32.68
  • 20.190.160.22
  • 40.126.32.133
  • 40.126.32.76
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
arc.msn.com
  • 20.223.35.26
  • 20.223.36.55
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.166.126.56
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted

Threats

PID
Process
Class
Message
Misc activity
SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
Misc activity
SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
A Network Trojan was detected
ET MALWARE Ransomware Decryptor Domain in DNS Query (decoder .re)
A Network Trojan was detected
ET MALWARE Ransomware Decryptor Domain in DNS Query (decoder .re)
A Network Trojan was detected
ET MALWARE Ransomware Decryptor Domain in DNS Query (decoder .re)
A Network Trojan was detected
ET MALWARE Ransomware Decryptor Domain in DNS Query (decoder .re)
A Network Trojan was detected
ET MALWARE Ransomware Decryptor Domain in DNS Query (decoder .re)
A Network Trojan was detected
ET MALWARE Ransomware Decryptor Domain in DNS Query (decoder .re)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
agent.exe