File name:

183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe

Full analysis: https://app.any.run/tasks/08c7753e-bcca-4ae7-bd23-b4e6a2c8c774
Verdict: Malicious activity
Threats:

Medusa is a ransomware malware family targeting businesses and institutions. Medusa encrypts crucial data, rendering it inaccessible, and attempts to pressure users to pay to regain control of their information. The group behind this malicious software hosts a TOR website where it shares the list of the organizations whose infrastructure has been compromised. This malware utilizes various tactics, including exploiting vulnerabilities and employs a unique file extension (".MEDUSA") to mark encrypted files.

Malware Trends Tracker     >>>
Analysis date: October 03, 2025, 17:10:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
smb
ransomware
medusa
locker
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

361C72E2042E5A0EDE485B743E1708B2

SHA1:

C0CE83BD865263FDF2CDE83893CBDBA92ADC0491

SHA256:

183E9D0D23EE006D5172BA32D0237B853ADF1ED98BC318DC5EE5E1F8FB62B334

SSDEEP:

12288:z3MDMAxhA2z3YPG3KtGGC8NQHnIxYTnuOl:DMDMA02z3YPG3KtGGC8NQHn6YTnF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • UAC/LUA settings modification

      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 3432)

    • Medusa ransom note is found

      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 3432)

    • MEDUSALOCKER has been detected (YARA)

      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 3432)

    • Renames files like ransomware

      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 3432)

    • Known privilege escalation attack

      • dllhost.exe (PID: 6184)

  • SUSPICIOUS

    • Uses WMIC.EXE to obtain shadow copy information

      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 3432)

    • Executable content was dropped or overwritten

      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 3432)

    • Creates file in the systems drive root

      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 3432)

    • Write to the desktop.ini file (may be used to cloak folders)

      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 3432)

    • Uses pipe srvsvc via SMB (transferring data)

      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 3432)

    • The process creates files with name similar to system file names

      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 3432)

    • The process executes via Task Scheduler

      • svhost.exe (PID: 1536)

  • INFO

    • Checks supported languages

      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 7704)
      • svhost.exe (PID: 1536)
      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 3432)

    • Reads the machine GUID from the registry

      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 7704)
      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 3432)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 6184)
      • WMIC.exe (PID: 8244)
      • WMIC.exe (PID: 8452)
      • WMIC.exe (PID: 8580)

    • Reads the computer name

      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 7704)
      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 3432)

    • Creates files or folders in the user directory

      • 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe (PID: 3432)

    • Reads the software policy settings

      • slui.exe (PID: 6320)

    • Checks proxy server information

      • slui.exe (PID: 6320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:10:31 06:08:40+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.21
CodeSize: 241664
InitializedDataSize: 4096
UninitializedDataSize: 479232
EntryPoint: 0xaf510
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
183
Monitored processes
12
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe no specs CMSTPLUA #MEDUSA 183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe wmic.exe no specs conhost.exe no specs shellexperiencehost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs slui.exe svhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1536"C:\Users\admin\AppData\Roaming\svhost.exe"C:\Users\admin\AppData\Roaming\svhost.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3432"C:\Users\admin\AppData\Local\Temp\183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe" C:\Users\admin\AppData\Local\Temp\183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe
dllhost.exe
User:
admin
Integrity Level:
HIGH
6184C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\SysWOW64\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
6320C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
7704"C:\Users\admin\AppData\Local\Temp\183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe" C:\Users\admin\AppData\Local\Temp\183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
8244wmic.exe SHADOWCOPY /nointeractiveC:\Windows\SysWOW64\wbem\WMIC.exe183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
44124
Version:
10.0.19041.1 (WinBuild.160101.0800)
8276\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
8392"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
8452wmic.exe SHADOWCOPY /nointeractiveC:\Windows\SysWOW64\wbem\WMIC.exe183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
44124
Version:
10.0.19041.1 (WinBuild.160101.0800)
8460\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
943
Text files
141
Unknown types
0

Dropped files

PID
Process
Filename
Type
3432183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\$RECYCLE.BIN\desktop.initext
MD5:AD0B0B4416F06AF436328A3C12DC491B
SHA256:23521DE51CA1DB2BC7B18E41DE7693542235284667BF85F6C31902547A947416
3432183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exeC:\Users\admin\AppData\Roaming\svhost.exeexecutable
MD5:361C72E2042E5A0EDE485B743E1708B2
SHA256:183E9D0D23EE006D5172BA32D0237B853ADF1ED98BC318DC5EE5E1F8FB62B334
3432183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\EFI\Microsoft\Boot\bg-BG\how_to_back_files.htmlhtml
MD5:F3A77BDB3E6ECFB59C2464E2CAB64AF4
SHA256:3C87DB069AAC51EE84C13DEA622883DB9BB12DC62EFEBA1394C17333FFEDDB75
3432183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exeC:\BOOTNXTbinary
MD5:9DA3E4A0DDC5433B722E1B273F631DA8
SHA256:F437AB464221A31E17CCF4E3D790E6FC8536B5EEAE4B6DDEFB30C09251C11877
3432183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe\\?\Volume{eaf65672-68c3-4f99-8d5c-104b5f4d8fff}\$RECYCLE.BIN\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.initext
MD5:AD0B0B4416F06AF436328A3C12DC491B
SHA256:23521DE51CA1DB2BC7B18E41DE7693542235284667BF85F6C31902547A947416
3432183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\EFI\Microsoft\Boot\memtest.efibinary
MD5:576A0D6F22C7C38EE350DFF173644475
SHA256:8855A00551766F1E3831990123B4FF7CE949DD8504C5DE239528D2A7045DF966
3432183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\EFI\Microsoft\Boot\bg-BG\bootmgr.efi.mui.sickfilebinary
MD5:75DA052519ADB5208529E49C605768BE
SHA256:A3F5CD581521407098FC9C957B952EF76E89E7C28A58C8C830AC621CF92FCA18
3432183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe\\?\Volume{2f5c5e73-85a9-11eb-90a8-9a9b76358421}\Recovery\WindowsRE\how_to_back_files.htmlhtml
MD5:F3A77BDB3E6ECFB59C2464E2CAB64AF4
SHA256:3C87DB069AAC51EE84C13DEA622883DB9BB12DC62EFEBA1394C17333FFEDDB75
3432183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exeC:\BOOTNXT.sickfilebinary
MD5:9DA3E4A0DDC5433B722E1B273F631DA8
SHA256:F437AB464221A31E17CCF4E3D790E6FC8536B5EEAE4B6DDEFB30C09251C11877
3432183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\EFI\Microsoft\Boot\bg-BG\bootmgfw.efi.mui.sickfilebinary
MD5:9095DEE36BF040CFA6524B9A3CE162A4
SHA256:7D45058D75B03880504BC528D7FF7749A8CE523BEEF06B95A355F4C76A6BF8EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
44
DNS requests
17
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8988
backgroundTaskHost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
9004
backgroundTaskHost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3240
svchost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3240
svchost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8996
backgroundTaskHost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6016
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
8084
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.2:445
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.2:139
whitelisted
4
System
192.168.100.2:137
whitelisted
5224
SearchApp.exe
92.123.133.167:443
www.bing.com
Akamai International B.V.
DE
whitelisted
3240
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3240
svchost.exe
172.66.2.5:80
ocsp.digicert.com
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.238
whitelisted
www.bing.com
  • 92.123.133.167
  • 92.123.133.175
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.23
  • 20.190.159.68
  • 40.126.31.131
  • 20.190.159.129
  • 40.126.31.130
whitelisted
ocsp.digicert.com
  • 172.66.2.5
  • 162.159.142.9
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
arc.msn.com
  • 20.199.58.43
  • 20.105.99.58
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
4
System
Not Suspicious Traffic
INFO [ANY.RUN] Possible SMB Connection Attempt
4
System
Not Suspicious Traffic
INFO [ANY.RUN] Possible SMB Connection Attempt
4
System
Not Suspicious Traffic
INFO [ANY.RUN] Possible SMB Connection Attempt
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
183e9d0d23ee006d5172ba32d0237b853adf1ed98bc318dc5ee5e1f8fb62b334.exe