File name:

shark.bin

Full analysis: https://app.any.run/tasks/f264f6f5-4f4b-4149-a4cd-ee85c0554b8a
Verdict: Malicious activity
Analysis date: May 20, 2025, 13:25:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

1C34124D40BD086CBC058267BDA5D76F

SHA1:

465EE2C0EDD007DFA01D38123620D808ACDFE4B6

SHA256:

E882A6BC39D1EEF27CC0F7B15E649002AF592A90903C8E80164C049365B2268E

SSDEEP:

98304:EoiwjIbFzw5R3Q/GzWFNk7WYa53NTjIrh4UqqCmbW8mrl5D9sgiOdtxdqoTrT+6T:a+BQVnAA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • shark.bin.exe (PID: 3020)
      • shark.exe (PID: 768)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6388)

  • SUSPICIOUS

    • Executes application which crashes

      • shark.bin.exe (PID: 3020)
      • shark.exe (PID: 768)

    • Executable content was dropped or overwritten

      • shark.bin.exe (PID: 3020)

    • Starts CMD.EXE for commands execution

      • shark.bin.exe (PID: 3020)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 3060)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 4180)
      • shark.exe (PID: 768)

    • Starts POWERSHELL.EXE for commands execution

      • shark.exe (PID: 768)

    • Connects to unusual port

      • shark.exe (PID: 768)

  • INFO

    • Checks supported languages

      • shark.bin.exe (PID: 3020)
      • OfficeClickToRun.exe (PID: 2896)

    • Creates files in the program directory

      • shark.bin.exe (PID: 3020)
      • PLUGScheduler.exe (PID: 4180)

    • Detects GO elliptic curve encryption (YARA)

      • shark.bin.exe (PID: 3020)

    • Application based on Golang

      • shark.bin.exe (PID: 3020)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • shark.bin.exe (PID: 3020)

    • Manual execution by a user

      • svchost.exe (PID: 2780)
      • svchost.exe (PID: 2932)
      • svchost.exe (PID: 2916)
      • OfficeClickToRun.exe (PID: 2896)
      • svchost.exe (PID: 2872)
      • svchost.exe (PID: 3256)
      • svchost.exe (PID: 3312)
      • sppsvc.exe (PID: 3884)
      • svchost.exe (PID: 2688)
      • svchost.exe (PID: 3032)
      • svchost.exe (PID: 3060)
      • svchost.exe (PID: 3008)
      • svchost.exe (PID: 4384)
      • svchost.exe (PID: 4264)
      • svchost.exe (PID: 4536)
      • svchost.exe (PID: 2256)
      • svchost.exe (PID: 3900)
      • svchost.exe (PID: 3916)
      • svchost.exe (PID: 876)
      • svchost.exe (PID: 3448)
      • svchost.exe (PID: 4124)
      • svchost.exe (PID: 3216)
      • svchost.exe (PID: 2136)
      • svchost.exe (PID: 3864)
      • svchost.exe (PID: 3324)
      • svchost.exe (PID: 4848)
      • svchost.exe (PID: 5672)
      • svchost.exe (PID: 5792)
      • svchost.exe (PID: 5980)
      • svchost.exe (PID: 6656)
      • svchost.exe (PID: 6340)
      • svchost.exe (PID: 6124)
      • svchost.exe (PID: 6184)
      • svchost.exe (PID: 2096)
      • uhssvc.exe (PID: 188)
      • svchost.exe (PID: 1180)
      • svchost.exe (PID: 1528)
      • TrustedInstaller.exe (PID: 5048)
      • svchost.exe (PID: 5156)
      • svchost.exe (PID: 2912)
      • svchost.exe (PID: 1916)

    • Disables trace logs

      • svchost.exe (PID: 3312)

    • Checks proxy server information

      • svchost.exe (PID: 2136)

    • Reads the computer name

      • PLUGScheduler.exe (PID: 4180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 351232
InitializedDataSize: 5707776
UninitializedDataSize: -
EntryPoint: 0x56a64
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
319
Monitored processes
77
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start start shark.bin.exe sppextcomobj.exe no specs slui.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs werfault.exe no specs svchost.exe no specs svchost.exe no specs officeclicktorun.exe svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs sppsvc.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe svchost.exe no specs svchost.exe no specs svchost.exe no specs plugscheduler.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs trustedinstaller.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs shark.exe svchost.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs werfault.exe no specs werfault.exe no specs svchost.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs svchost.exe svchost.exe no specs svchost.exe no specs uhssvc.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs svchost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
768"C:\ProgramData\shark.exe"C:\ProgramData\shark.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\shark.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
876C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvcC:\Windows\System32\svchost.exeservices.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
1180C:\WINDOWS\System32\svchost.exe -k NetworkService -p -s WinRMC:\Windows\System32\svchost.exeservices.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1272C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3020 -s 620C:\Windows\SysWOW64\WerFault.exeshark.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1528C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvcC:\Windows\System32\svchost.exeservices.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1912C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3020 -s 156C:\Windows\SysWOW64\WerFault.exeshark.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1916C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroupC:\Windows\System32\svchost.exeservices.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2096C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvcC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2136C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvcC:\Windows\System32\svchost.exeservices.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vaultcli.dll
c:\windows\system32\windows.networking.connectivity.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
Total events
40 995
Read events
40 764
Write events
192
Delete events
39

Modification events

(PID) Process:(2932) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\Config
Operation:writeName:ServerName
Value:
\BaseNamedObjects\WDI_{cd9f5bca-ce95-4428-bfb3-4ef65341f42f}
(PID) Process:(2780) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winmgmt\Parameters
Operation:writeName:ServiceDllUnloadOnStop
Value:
1
(PID) Process:(3020) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters
Operation:delete valueName:Guid
Value:
蘆땛箒䗲ᢌ嬷�꽮
(PID) Process:(3020) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters
Operation:writeName:Guid
Value:
938B9D6BC7464A45938F9541D39C6FC8
(PID) Process:(3008) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iphlpsvc\DaMultisite
Operation:delete valueName:SelectedSite
Value:
(PID) Process:(3008) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iphlpsvc\DaMultisite
Operation:delete valueName:SelectionMethod
Value:
(PID) Process:(3312) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RasMan\Parameters
Operation:delete valueName:AllocatedLuids
Value:
(PID) Process:(5156) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator
Operation:writeName:MostackEnabled
Value:
1
(PID) Process:(5156) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator
Operation:writeName:MoStack
Value:
1
(PID) Process:(5156) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator\Scheduler
Operation:writeName:Checking to see if mostack override has changed
Value:
60A627FF8AC9DB01
Executable files
1
Suspicious files
99
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
2932svchost.exeC:\Windows\System32\sru\SRUDB.dat
MD5:
SHA256:
3884sppsvc.exeC:\Windows\System32\spp\store\2.0\data.dat.tmpbinary
MD5:C7C6D58F9E2A32CE16ECAE42BC951434
SHA256:A8717B0BCEBF96616226B212641F2EC46F66989F35F8C112BD785EEAB4FE318F
4180PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.049.etlbinary
MD5:5EA68411BF8E9EAF4621BAF73F61449E
SHA256:9D4CA5A1D871F819C139A498BB910A63576C2FE6367853544F8D172D8B6EBFF7
2896OfficeClickToRun.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\27EFE683-F590-4309-BDF5-E3CBB7CC6C78xml
MD5:39A133BB25EC9A977418E12E4AF70F91
SHA256:61D5BBDA8F855EBCD1A177A465A0804D1386C87BC75342B0D027EA47DA4D4561
4180PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.047.etlbinary
MD5:FED961067F664B5381B65A534B7AB728
SHA256:652F31A8284AE812D1D9D24192BC800976BF74C240591C6AC443A28C4709FB7C
2136svchost.exeC:\Users\admin\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdptext
MD5:1611F17FF81F9C9BC5C9F1D9A6B4F483
SHA256:7D131594BD87C139CBFF9BE8627FCFFA915EC02CC3422551FE7911A2045CA1EE
3884sppsvc.exeC:\Windows\System32\spp\store\2.0\data.datbinary
MD5:C7C6D58F9E2A32CE16ECAE42BC951434
SHA256:A8717B0BCEBF96616226B212641F2EC46F66989F35F8C112BD785EEAB4FE318F
2136svchost.exeC:\Users\admin\AppData\Local\ConnectedDevicesPlatform\L.admin.cdpresourcetext
MD5:DF774662471C7C4CE57E95D04B8F76C1
SHA256:A144B9FC551CA115244A441DDAC7E1B8286BB2FFC95877814D2FA0E864A8AB0C
4180PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.050.etlbinary
MD5:C8834D365FAE073DEDE1F1620454CE71
SHA256:C6DD793EEE1D5551CA507A3C5BFFECA82DD3E29C63C2C6DD218A7D4BFB37046B
3884sppsvc.exeC:\Windows\System32\spp\store\2.0\data.dat.bakbinary
MD5:C7C6D58F9E2A32CE16ECAE42BC951434
SHA256:A8717B0BCEBF96616226B212641F2EC46F66989F35F8C112BD785EEAB4FE318F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
71
DNS requests
31
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5260
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5260
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3432
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
5296
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6684
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
5736
BackgroundTransferHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.36
  • 23.216.77.6
  • 23.216.77.20
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.130
  • 40.126.32.134
  • 20.190.160.65
  • 20.190.160.67
  • 20.190.160.128
  • 40.126.32.138
  • 20.190.160.2
  • 40.126.32.68
  • 20.190.160.20
  • 40.126.32.72
  • 20.190.160.66
  • 20.190.160.132
  • 20.190.160.64
  • 20.190.160.3
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
self.events.data.microsoft.com
  • 104.208.16.89
  • 40.79.141.153
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES DNS Query to Commonly Actor Abused Online Service (data-seed-prebsc-2-s1 .binance .org)
768
shark.exe
Misc activity
ET TA_ABUSED_SERVICES Observed Commonly Actor Abused Online Service Domain (data-seed-prebsc-2-s1 .binance .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
shark.bin