File name:

2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe

Full analysis: https://app.any.run/tasks/3e72ee21-e4cf-4160-9f16-bf2d1b13ca4f
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 17, 2025, 21:40:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

8666B87653F291798AECF49683A8242C

SHA1:

C038A4F76D70339707A2A5A3364985239C65FE19

SHA256:

11AED0C7D6D9651F063B56DA892E75A87C8E6AAD8F967C43D760D9972B386BE6

SSDEEP:

6144:zT74aUVndgCNy5swyyLQd8cJcUTczcfOrLCrO1OqtjrOsR:zT74aqdgCNyadd8acUGcfwuq3tjrOO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 2276)

    • Connects to the CnC server

      • conlhost.exe (PID: 5552)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)

    • Reads security settings of Internet Explorer

      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)
      • conlhost.exe (PID: 5552)
      • conlhost.exe (PID: 4528)

    • Starts itself from another location

      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)

    • Executing commands from a ".bat" file

      • conlhost.exe (PID: 5552)

    • Likely accesses (executes) a file from the Public directory

      • conlhost.exe (PID: 5552)
      • reg.exe (PID: 2276)
      • cmd.exe (PID: 2144)
      • conlhost.exe (PID: 4528)

    • Executable content was dropped or overwritten

      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)

    • Starts CMD.EXE for commands execution

      • conlhost.exe (PID: 5552)

    • Connects to the server without a host name

      • conlhost.exe (PID: 5552)

    • Uses REG/REGEDIT.EXE to modify registry

      • conlhost.exe (PID: 5552)

    • Contacting a server suspected of hosting an CnC

      • conlhost.exe (PID: 5552)

  • INFO

    • Reads the machine GUID from the registry

      • conlhost.exe (PID: 5552)
      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)
      • conlhost.exe (PID: 4528)

    • Checks supported languages

      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)
      • conlhost.exe (PID: 5552)
      • conlhost.exe (PID: 4528)

    • Checks proxy server information

      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)
      • conlhost.exe (PID: 5552)
      • conlhost.exe (PID: 4528)
      • slui.exe (PID: 2596)

    • Reads the computer name

      • conlhost.exe (PID: 5552)
      • 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe (PID: 6376)
      • conlhost.exe (PID: 4528)

    • Creates files or folders in the user directory

      • conlhost.exe (PID: 5552)
      • conlhost.exe (PID: 4528)

    • Launching a file from a Registry key

      • reg.exe (PID: 2276)

    • Reads the software policy settings

      • conlhost.exe (PID: 4528)
      • conlhost.exe (PID: 5552)
      • slui.exe (PID: 2596)

    • Manual execution by a user

      • conlhost.exe (PID: 4528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (28.6)
.exe | UPX compressed Win32 Executable (28)
.exe | Win32 EXE Yoda's Crypter (27.5)
.dll | Win32 Dynamic Link Library (generic) (6.8)
.exe | Win32 Executable (generic) (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:17 12:23:00+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 275968
InitializedDataSize: 102912
UninitializedDataSize: -
EntryPoint: 0x26c81
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
10
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe conlhost.exe cmd.exe no specs conhost.exe no specs reg.exe conhost.exe no specs reg.exe no specs conhost.exe no specs conlhost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2144C:\WINDOWS\system32\cmd.exe /c C:\users\Public\del.batC:\Windows\SysWOW64\cmd.execonlhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2276REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "allkeeper" /t REG_SZ /d "C:\users\Public\conlhost.exe" /f /reg:64C:\Windows\SysWOW64\reg.exe
conlhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2460\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2596C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4528C:\users\Public\conlhost.exeC:\Users\Public\conlhost.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\public\conlhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4708REG ADD "HKEY_CURRENT_USER\SOFTWARE" /v "crypted" /t REG_SZ /d "1" /reg:64C:\Windows\SysWOW64\reg.execonlhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5552"C:\users\Public\conlhost.exe"C:\Users\Public\conlhost.exe
2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\public\conlhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6376"C:\Users\admin\Desktop\2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe" C:\Users\admin\Desktop\2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
10 689
Read events
10 678
Write events
11
Delete events
0

Modification events

(PID) Process:(6376) 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6376) 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6376) 2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5552) conlhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5552) conlhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5552) conlhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2276) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:allkeeper
Value:
C:\users\Public\conlhost.exe
(PID) Process:(4708) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE
Operation:writeName:crypted
Value:
1
(PID) Process:(4528) conlhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4528) conlhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
1
Suspicious files
60
Text files
17
Unknown types
2

Dropped files

PID
Process
Filename
Type
5552conlhost.exeC:\Users\admin\Desktop\loanset.rtfbinary
MD5:1A5ED9B26DAD5312C4A6814C71D8B513
SHA256:E48F9D39847EA9D4E83B8668EFE544D002BF24774D9359731AF6618A3E2204C8
63762025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exeC:\Users\Public\del.battext
MD5:3CEA07C071D1886AFBEE6B5100493D8E
SHA256:41026CCB3D81790B3740CCD078922BE6806B18C898297609314C340688EE61C6
5552conlhost.exeC:\Users\admin\AppData\Local\VirtualStore\FILES_BACK.txttext
MD5:FC605D0A0029F229D0ED645293ECE316
SHA256:A2A678D59020D212A1EC32810466B9A2BC4D17FCFFF8EDD6C07C5AA8EF15B25F
5552conlhost.exeC:\Users\admin\Desktop\A0.R5Abinary
MD5:C7E8EF5BD7A757CD99ED008141EDDDD7
SHA256:3595B93BFE4C9EB6F6ACEF540BBB07189F307018F7917E775D065F3D0D949ECC
5552conlhost.exeC:\Users\admin\Desktop\productionwood.jpgbinary
MD5:2ABDB2CC16B3B3171E585C066EFF3165
SHA256:11D17D70ECF0E8B9EF5C971CDC072CE80C6DC7F4080D0B4D81C4E513AA2E741D
5552conlhost.exeC:\Users\admin\Desktop\A3.R5Abinary
MD5:82A3C279980DBC92B974EDFE978AE169
SHA256:12620C1EDED88CFFD69CA675A47ECFD4E427C47299CEFB773201C4D0F38A680B
5552conlhost.exeC:\Users\admin\Desktop\A4.R5Abinary
MD5:1A5ED9B26DAD5312C4A6814C71D8B513
SHA256:E48F9D39847EA9D4E83B8668EFE544D002BF24774D9359731AF6618A3E2204C8
5552conlhost.exeC:\Users\admin\Desktop\practiceshow.rtfbinary
MD5:6081ADA4A63B2183EFC2FCABB5216A28
SHA256:612334677E81D86CB43641E5EDBF2AF602CED7B5F5A8635F3E40317AC89C9D17
5552conlhost.exeC:\Users\admin\Desktop\albumaccounts.jpgbinary
MD5:C7E8EF5BD7A757CD99ED008141EDDDD7
SHA256:3595B93BFE4C9EB6F6ACEF540BBB07189F307018F7917E775D065F3D0D949ECC
5552conlhost.exeC:\Users\admin\Desktop\A6.R5Abinary
MD5:2ABDB2CC16B3B3171E585C066EFF3165
SHA256:11D17D70ECF0E8B9EF5C971CDC072CE80C6DC7F4080D0B4D81C4E513AA2E741D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
60
DNS requests
22
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6376
2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe
GET
46.45.169.106:80
http://46.45.169.106/sellKfjmfokt5lm5v14kol1vj35/redirect.php
unknown
malicious
5944
MoUsoCoreWorker.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7084
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7084
RUXIMICS.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
1576
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5552
conlhost.exe
GET
46.45.169.106:80
http://46.45.169.106/sellKfjmfokt5lm5v14kol1vj35/tgfertsngkrtlrg5.php?RIGHTS=admin&WIN=8%209200&WALLET=1Lud76Q98VRHCUiyK7XUs7AgFofrqXeP78&ID=%20&UI=888
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7084
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6376
2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe
46.45.169.106:80
Istanbuldc Veri Merkezi Ltd Sti
TR
unknown
1268
svchost.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7084
RUXIMICS.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 2.16.241.14
  • 2.16.241.12
  • 23.216.77.42
  • 23.216.77.28
  • 23.216.77.41
  • 23.216.77.25
  • 23.216.77.19
  • 23.216.77.38
  • 23.216.77.22
  • 23.216.77.20
  • 23.216.77.36
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.160.67
  • 20.190.160.128
  • 20.190.160.20
  • 20.190.160.14
  • 20.190.160.17
  • 20.190.160.4
  • 20.190.160.64
  • 40.126.32.136
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
blockchain.info
  • 104.16.117.55
  • 104.16.118.55
whitelisted
self.events.data.microsoft.com
  • 20.189.173.4
whitelisted

Threats

PID
Process
Class
Message
6376
2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe
Potentially Bad Traffic
ET USER_AGENTS User-Agent (Internet Explorer)
5552
conlhost.exe
Potentially Bad Traffic
ET USER_AGENTS User-Agent (Internet Explorer)
5552
conlhost.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/7ev3n Ransomware Initial Checkin
Potentially Bad Traffic
ET USER_AGENTS User-Agent (Internet Explorer)
A Network Trojan was detected
ET MALWARE 7ev3n Ransomware Related Activity (GET)
5552
conlhost.exe
Potentially Bad Traffic
ET USER_AGENTS User-Agent (Internet Explorer)
5552
conlhost.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/7ev3n Ransomware Process Checkin
Potentially Bad Traffic
ET USER_AGENTS User-Agent (Internet Explorer)
A Network Trojan was detected
ET MALWARE 7ev3n Ransomware Related Activity (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-17_8666b87653f291798aecf49683a8242c_7ev3n_elex_hawkeye_mespinoza.exe