File name:

HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.7z

Full analysis: https://app.any.run/tasks/e78d32e1-d473-4cdc-8e3d-7f5e6410d163
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 27, 2025, 13:55:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
arch-exec
ransomware
troldesh
shade
upx
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

01D9BF885303F5A929058032830A39D0

SHA1:

399D347740E89BC9D513962FDC287BDAD1E1C972

SHA256:

220149FD67D971C4D0342718E1BDC16197D862AE1BA619367C466CD090035661

SSDEEP:

49152:/ghyya5tacA6HxsCCQzJbmwLalfr9D/XzCu1zh48o47du3YXIyDERyCVO+vAAs0v:/yaLXTHxPC0JbmwLal9/jr1zmA7du3Yo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 1572)

    • Troldesh is detected

      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 984)

    • Changes the autorun value in the registry

      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 984)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 1548)
      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 984)

    • The process creates files with name similar to system file names

      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 1548)
      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 984)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 1548)

    • Application launched itself

      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 1548)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1572)

    • Reads the computer name

      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 1548)
      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 984)

    • Checks supported languages

      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 1548)
      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 984)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 1572)
      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 984)

    • Manual execution by a user

      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 1548)

    • Create files in a temporary directory

      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 1548)
      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 984)

    • Reads the machine GUID from the registry

      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 1548)
      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 984)

    • Creates files in the program directory

      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 984)

    • UPX packer has been detected

      • HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe (PID: 984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2017:01:05 17:32:30+00:00
ArchivedFileName: HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe heur-trojan-ransom.win32.agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe #TROLDESH heur-trojan-ransom.win32.agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe

Process information

PID
CMD
Path
Indicators
Parent process
984"C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe" C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
User:
admin
Company:
X2Go Project
Integrity Level:
HIGH
Description:
Installer for X2Go Client for Windows
Version:
1.3.0.4
Modules
Images
c:\users\admin\desktop\heur-trojan-ransom.win32.agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
1548"C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe" C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
explorer.exe
User:
admin
Company:
X2Go Project
Integrity Level:
HIGH
Description:
Installer for X2Go Client for Windows
Exit code:
0
Version:
1.3.0.4
Modules
Images
c:\users\admin\desktop\heur-trojan-ransom.win32.agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1572"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
3 005
Read events
2 979
Write events
26
Delete events
0

Modification events

(PID) Process:(1572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1572) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(1572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.7z
(PID) Process:(1572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1572) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
3
Suspicious files
2
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
984HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exeC:\ProgramData\Windows\csrss.exeexecutable
MD5:C44E3C2A4B78303640F92023BA726212
SHA256:9A370A5B9FC8C3928F0D9E3881DB4B79A1F020C2FF042D3EF9F9672F22AC9316
1548HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exeC:\Users\admin\AppData\Local\Temp\feedxml
MD5:F08784B01F10E5E081A39DDE42A9A108
SHA256:F6A53634450F584CFE2D6F01156DCDF91F09F83C81479C3E3B966D84AC79016E
1548HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exeC:\Users\admin\AppData\Local\Temp\feed1507492176.rss+xmlxml
MD5:B54778AA902187D409C1936751D5059B
SHA256:BFA4800F8A7250663BBC95BA79A65EB9C83426DCF5DF897CDBDB19D413091E8F
1548HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exeC:\Users\admin\AppData\Local\Temp\feed931805244.rss+xmlxml
MD5:13C86D328D11F3F0C44A70F75AAACEB8
SHA256:0A2519B65EDD81BC48A3BC4E7867F352E1B77E87EB00AFDECD2874DBDA8DFCF5
984HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exeC:\Users\admin\AppData\Local\Temp\6893A5D897\statetext
MD5:BBE0E2C6F36B3BF2FDDED0D72C1DC1AC
SHA256:A237338F8296B2ACDCAC6D0D935061248392180261EAF749C7D9A0A4AB8550E4
1548HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exeC:\Users\admin\AppData\Local\Temp\nsx4736.tmpbinary
MD5:2C982F4B654212208D65838D5FC64B80
SHA256:8E478694FE00F047D6743A33DD7FBB3F327B830D1D322311EEE9E0EDF869BB93
984HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exeC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmptext
MD5:BBE0E2C6F36B3BF2FDDED0D72C1DC1AC
SHA256:A237338F8296B2ACDCAC6D0D935061248392180261EAF749C7D9A0A4AB8550E4
1548HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exeC:\Users\admin\AppData\Local\Temp\rt3fUy.Lv6gpGnXidoKOQxbinary
MD5:78A3CA9E3FAD2B5A4CB9587852B4CCE2
SHA256:77CF4407E69ABD3739B2CC9287EE96300A4675E414FA85A489EEA2627E0619F4
1572WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1572.47589\HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exeexecutable
MD5:C44E3C2A4B78303640F92023BA726212
SHA256:9A370A5B9FC8C3928F0D9E3881DB4B79A1F020C2FF042D3EF9F9672F22AC9316
1548HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exeC:\Users\admin\AppData\Local\Temp\nsn47E3.tmp\System.dllexecutable
MD5:A4DD044BCD94E9B3370CCF095B31F896
SHA256:2E226715419A5882E2E14278940EE8EF0AA648A3EF7AF5B3DC252674111962BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
9
DNS requests
2
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
984
HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
86.59.21.38:443
Hutchison Drei Austria GmbH
AT
unknown
984
HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
208.83.223.34:80
APPLIEDOPS
US
unknown
984
HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
131.188.40.189:443
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.142
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted

Threats

PID
Process
Class
Message
984
HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 159
984
HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.exe
Unknown Traffic
ET JA3 Hash - [Abuse.ch] Possible Troldesh Ransomware
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HEUR-Trojan-Ransom.Win32.Agent.gen-9a370a5b9fc8c3928f0d9e3881db4b79a1f020c2ff042d3ef9f9672f22ac9316.7z