File name:

dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin

Full analysis: https://app.any.run/tasks/3820452e-3b73-4120-8180-7fa52f957f6a
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 13:31:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
generic
ransomware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

5315BDBF85AD2B3BB13AE8EE62489F7F

SHA1:

8B0E4650F1A7080B78066A61152E571CA8B6816B

SHA256:

DEE0FDE2D096C79E138890F958B9440E87CCE38504B654A97DE50BB7969A9C98

SSDEEP:

98304:t/72PAq2dOK1uZhLeC8A8m/51sLANqQcSnF3Y7nxYfzgWZaw3++Jill:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exe (PID: 7512)

    • Changes the autorun value in the registry

      • dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exe (PID: 7512)

    • GENERIC has been found (auto)

      • dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exe (PID: 7512)

    • Modifies files in the Chrome extension folder

      • dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exe (PID: 7512)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exe (PID: 7512)

  • INFO

    • Reads the computer name

      • dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exe (PID: 7512)

    • Checks supported languages

      • dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exe (PID: 7512)

    • Creates files or folders in the user directory

      • dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exe (PID: 7512)

    • Manual execution by a user

      • notepad.exe (PID: 516)
      • notepad++.exe (PID: 4892)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:03 13:12:15+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.42
CodeSize: 1572352
InitializedDataSize: 1034240
UninitializedDataSize: 483328
EntryPoint: 0x619c8
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: svchost
FileDescription: svchost
FileVersion: 1.0.0.0
InternalName: svchost.dll
LegalCopyright:
OriginalFileName: svchost.dll
ProductName: svchost
ProductVersion: 1.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GENERIC dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exe rundll32.exe no specs notepad.exe no specs slui.exe no specs notepad++.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\!RESTORE_FILES!.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2088C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4892"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\industryquestions.png.888"C:\Program Files\Notepad++\notepad++.exeexplorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
7512"C:\Users\admin\Desktop\dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exe" C:\Users\admin\Desktop\dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7636C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
Total events
1 391
Read events
1 390
Write events
1
Delete events
0

Modification events

(PID) Process:(7512) dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:FC5A714EFBF1AE255D0071443A0D08FE70B2DE19F1F288115EDF3E6FA5263DBF
Value:
C:\Users\admin\Desktop\dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exe
Executable files
1
Suspicious files
127
Text files
1 077
Unknown types
1

Dropped files

PID
Process
Filename
Type
7512dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exeC:\Users\admin\Desktop\industryquestions.png.888image
MD5:D21F14DA3892A34A91B3CD4E55747EA5
SHA256:12ED1AD488FFD634C89E6FC8EFE8A50364BE9BA8FB7F66439042CB51AD374250
7512dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exeC:\Users\admin\Desktop\desktop.ini.888text
MD5:9E36CC3537EE9EE1E3B10FA4E761045B
SHA256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
7512dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exeC:\Windows\Temp\!wwkdsfdsfewt.txttext
MD5:43E7C2009AEA77D591C582A1E40DB736
SHA256:C7504B1AD60A398008898F08AAD56ED6A9914A18ECA823837925C4DBB47CF52C
7512dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exeC:\Users\admin\Desktop\dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exe.888executable
MD5:5315BDBF85AD2B3BB13AE8EE62489F7F
SHA256:DEE0FDE2D096C79E138890F958B9440E87CCE38504B654A97DE50BB7969A9C98
7512dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exeC:\Users\admin\Desktop\!RESTORE_FILES!.txttext
MD5:6BADFCF855D282BCBD4B6D1D79B0BD90
SHA256:C14DC68D5DD7D192340857DA9BB6D7EC35A1BD67598D55D561D103DD12B481A9
7512dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\!RESTORE_FILES!.txttext
MD5:6BADFCF855D282BCBD4B6D1D79B0BD90
SHA256:C14DC68D5DD7D192340857DA9BB6D7EC35A1BD67598D55D561D103DD12B481A9
7512dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exeC:\Users\admin\AppData\Local\Adobe\ARM\!RESTORE_FILES!.txttext
MD5:6BADFCF855D282BCBD4B6D1D79B0BD90
SHA256:C14DC68D5DD7D192340857DA9BB6D7EC35A1BD67598D55D561D103DD12B481A9
7512dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exeC:\Users\admin\Desktop\gamesaward.png.888binary
MD5:0B882F539B539B405D522595904C23F1
SHA256:9A9AB6DD5E612C9C3005375F153191439EE48185FE32DD41C35FC1398E3276B3
7512dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exeC:\Users\admin\Desktop\artsmetal.rtf.888text
MD5:12B5322047E504390FB2B470FE2D474D
SHA256:B170893423422ADAE8BC63BA3CF8675CE8EB514ADBD139ADF4A5CFF3ED9ACD2A
7512dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin.exeC:\Users\admin\Desktop\committeeusing.rtf.888text
MD5:5C02ED6923382997B4F1798436A04A23
SHA256:80921FC8C750E354B6984D788B0762713E7B60A842D3E2F263D48A61DF03AFF4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
660
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
660
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
660
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.32.140
  • 20.190.160.3
  • 40.126.32.136
  • 40.126.32.138
  • 40.126.32.68
  • 40.126.32.134
  • 20.190.160.66
  • 20.190.160.2
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dee0fde2d096c79e138890f958b9440e87cce38504b654a97de50bb7969a9c98.bin