File name:

2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe

Full analysis: https://app.any.run/tasks/3e72ee21-e4cf-4160-9f16-bf2d1b13ca4f
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 17, 2025, 21:40:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

8666B87653F291798AECF49683A8242C

SHA1:

C038A4F76D70339707A2A5A3364985239C65FE19

SHA256:

11AED0C7D6D9651F063B56DA892E75A87C8E6AAD8F967C43D760D9972B386BE6

SSDEEP:

6144:zT74aUVndgCNy5swyyLQd8cJcUTczcfOrLCrO1OqtjrOsR:zT74aqdgCNyadd8acUGcfwuq3tjrOO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 2276)

    • Connects to the CnC server

      • conlhost.exe (PID: 5552)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)

    • Starts itself from another location

      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)

    • Executable content was dropped or overwritten

      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)

    • Reads security settings of Internet Explorer

      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)
      • conlhost.exe (PID: 5552)
      • conlhost.exe (PID: 4528)

    • Likely accesses (executes) a file from the Public directory

      • conlhost.exe (PID: 5552)
      • cmd.exe (PID: 2144)
      • reg.exe (PID: 2276)
      • conlhost.exe (PID: 4528)

    • Starts CMD.EXE for commands execution

      • conlhost.exe (PID: 5552)

    • Executing commands from a ".bat" file

      • conlhost.exe (PID: 5552)

    • Connects to the server without a host name

      • conlhost.exe (PID: 5552)

    • Uses REG/REGEDIT.EXE to modify registry

      • conlhost.exe (PID: 5552)

    • Contacting a server suspected of hosting an CnC

      • conlhost.exe (PID: 5552)

  • INFO

    • Reads the computer name

      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)
      • conlhost.exe (PID: 5552)
      • conlhost.exe (PID: 4528)

    • Checks supported languages

      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)
      • conlhost.exe (PID: 5552)
      • conlhost.exe (PID: 4528)

    • Reads the machine GUID from the registry

      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)
      • conlhost.exe (PID: 5552)
      • conlhost.exe (PID: 4528)

    • Checks proxy server information

      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)
      • conlhost.exe (PID: 5552)
      • conlhost.exe (PID: 4528)
      • slui.exe (PID: 2596)

    • Creates files or folders in the user directory

      • conlhost.exe (PID: 5552)
      • conlhost.exe (PID: 4528)

    • Launching a file from a Registry key

      • reg.exe (PID: 2276)

    • Manual execution by a user

      • conlhost.exe (PID: 4528)

    • Reads the software policy settings

      • conlhost.exe (PID: 4528)
      • slui.exe (PID: 2596)
      • conlhost.exe (PID: 5552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (28.6)
.exe | UPX compressed Win32 Executable (28)
.exe | Win32 EXE Yoda's Crypter (27.5)
.dll | Win32 Dynamic Link Library (generic) (6.8)
.exe | Win32 Executable (generic) (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:17 12:23:00+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 275968
InitializedDataSize: 102912
UninitializedDataSize: -
EntryPoint: 0x26c81
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
10
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe conlhost.exe cmd.exe no specs conhost.exe no specs reg.exe conhost.exe no specs reg.exe no specs conhost.exe no specs conlhost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2144C:\WINDOWS\system32\cmd.exe /c C:\users\Public\del.batC:\Windows\SysWOW64\cmd.execonlhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2276REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "C:\users\Public\conlhost.exe" /f /reg:64C:\Windows\SysWOW64\reg.exe
conlhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2460\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2596C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4528C:\users\Public\conlhost.exeC:\Users\Public\conlhost.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\public\conlhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4708REG ADD "HKEY_CURRENT_USER\SOFTWARE" /v "crypted" /t REG_SZ /d "1" /reg:64C:\Windows\SysWOW64\reg.execonlhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5552"C:\users\Public\conlhost.exe"C:\Users\Public\conlhost.exe
2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\public\conlhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6376"C:\Users\admin\Desktop\2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe" C:\Users\admin\Desktop\2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
10 689
Read events
10 678
Write events
11
Delete events
0

Modification events

(PID) Process:(6376) 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6376) 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6376) 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5552) conlhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5552) conlhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5552) conlhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2276) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:allkeeper
Value:
C:\users\Public\conlhost.exe
(PID) Process:(4708) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE
Operation:writeName:crypted
Value:
1
(PID) Process:(4528) conlhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4528) conlhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
1
Suspicious files
60
Text files
17
Unknown types
2

Dropped files

PID
Process
Filename
Type
5552conlhost.exeC:\Users\admin\Desktop\cabletraditional.jpgbinary
MD5:7702F4999F77124D56F6792DADC2DCAA
SHA256:045B5A80691DF7D9FE2DED3CA5E40ADDDAD4D049BCE33CEE319FC61270CAE14B
5552conlhost.exeC:\Users\Public\testdecrypttext
MD5:93FAFE7E4BE1DB9E22212A68E8BA7451
SHA256:DBABCF3E13E61743109F839A1D10FF1DC0BCE5BC76AF2D24B1A3C24448618DD3
5552conlhost.exeC:\Users\admin\Desktop\albumaccounts.jpgbinary
MD5:C7E8EF5BD7A757CD99ED008141EDDDD7
SHA256:3595B93BFE4C9EB6F6ACEF540BBB07189F307018F7917E775D065F3D0D949ECC
5552conlhost.exeC:\Users\admin\Desktop\bedasked.jpgbinary
MD5:5671D043A158F02A794D6DF21803443F
SHA256:BF868EBB8BFB105C0495CE548023F6E975B88F367F3402E38A4B28D5BF2E12ED
63762025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exeC:\Users\Public\conlhost.exeexecutable
MD5:8666B87653F291798AECF49683A8242C
SHA256:11AED0C7D6D9651F063B56DA892E75A87C8E6AAD8F967C43D760D9972B386BE6
5552conlhost.exeC:\Users\admin\Desktop\A3.R5Abinary
MD5:82A3C279980DBC92B974EDFE978AE169
SHA256:12620C1EDED88CFFD69CA675A47ECFD4E427C47299CEFB773201C4D0F38A680B
5552conlhost.exeC:\Users\admin\FILES_BACK.txttext
MD5:FC605D0A0029F229D0ED645293ECE316
SHA256:A2A678D59020D212A1EC32810466B9A2BC4D17FCFFF8EDD6C07C5AA8EF15B25F
5552conlhost.exeC:\Users\admin\Desktop\A0.R5Abinary
MD5:C7E8EF5BD7A757CD99ED008141EDDDD7
SHA256:3595B93BFE4C9EB6F6ACEF540BBB07189F307018F7917E775D065F3D0D949ECC
5552conlhost.exeC:\Users\admin\Desktop\loanset.rtfbinary
MD5:1A5ED9B26DAD5312C4A6814C71D8B513
SHA256:E48F9D39847EA9D4E83B8668EFE544D002BF24774D9359731AF6618A3E2204C8
5552conlhost.exeC:\Users\Public\filestext
MD5:E4EA1D7A4F5FADD3B6550102D317A11C
SHA256:5CD86F834BD898839428460406680F3319227A8D30C31458180E95328002322F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
60
DNS requests
22
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6376
2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe
GET
46.45.169.106:80
http://46.45.169.106/sellKfjmfokt5lm5v14kol1vj35/redirect.php
unknown
malicious
5944
MoUsoCoreWorker.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7084
RUXIMICS.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7084
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5552
conlhost.exe
GET
46.45.169.106:80
http://46.45.169.106/sellKfjmfokt5lm5v14kol1vj35/tgfertsngkrtlrg5.php?RIGHTS=admin&WIN=8%209200&WALLET=1Lud76Q98VRHCUiyK7XUs7AgFofrqXeP78&ID=%20&UI=888
unknown
malicious
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
1576
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7084
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6376
2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe
46.45.169.106:80
Istanbuldc Veri Merkezi Ltd Sti
TR
unknown
1268
svchost.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7084
RUXIMICS.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 2.16.241.14
  • 2.16.241.12
  • 23.216.77.42
  • 23.216.77.28
  • 23.216.77.41
  • 23.216.77.25
  • 23.216.77.19
  • 23.216.77.38
  • 23.216.77.22
  • 23.216.77.20
  • 23.216.77.36
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.160.67
  • 20.190.160.128
  • 20.190.160.20
  • 20.190.160.14
  • 20.190.160.17
  • 20.190.160.4
  • 20.190.160.64
  • 40.126.32.136
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
blockchain.info
  • 104.16.117.55
  • 104.16.118.55
whitelisted
self.events.data.microsoft.com
  • 20.189.173.4
whitelisted

Threats

PID
Process
Class
Message
6376
2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe
Potentially Bad Traffic
ET USER_AGENTS User-Agent (Internet Explorer)
5552
conlhost.exe
Potentially Bad Traffic
ET USER_AGENTS User-Agent (Internet Explorer)
5552
conlhost.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/7ev3n Ransomware Initial Checkin
Potentially Bad Traffic
ET USER_AGENTS User-Agent (Internet Explorer)
A Network Trojan was detected
ET MALWARE 7ev3n Ransomware Related Activity (GET)
5552
conlhost.exe
Potentially Bad Traffic
ET USER_AGENTS User-Agent (Internet Explorer)
5552
conlhost.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/7ev3n Ransomware Process Checkin
Potentially Bad Traffic
ET USER_AGENTS User-Agent (Internet Explorer)
A Network Trojan was detected
ET MALWARE 7ev3n Ransomware Related Activity (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe