File name:

Ransomware.TeslaCrypt.zip

Full analysis: https://app.any.run/tasks/bb67774f-9e55-4bb2-a2c7-3a828cf6b91c
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: February 28, 2024, 20:07:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
teslacrypt
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

F755A44BBB97E9BA70BF38F1BDC67722

SHA1:

F70331EB64FD893047F263623FFB1E74E6FE4187

SHA256:

3B246FAA7E4B2A8550AA619F4DA893DB83721AACF62B46E5863644A5249AA87E

SSDEEP:

6144:xQAq0svy/pQhk1NBePvxGNWeOyqYAGfr/H/h60BHtzbprAvNGTG/fi5QCIq3h11Z:LyKoUlWeOP8HXrINZ/2uJUgVu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe (PID: 1836)
      • WinRAR.exe (PID: 2160)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe (PID: 1844)
      • lrsomwd.exe (PID: 2780)
      • iloxcgm.exe (PID: 1692)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe (PID: 664)

    • Deletes shadow copies

      • iloxcgm.exe (PID: 1692)
      • lrsomwd.exe (PID: 2780)

    • Changes the autorun value in the registry

      • iloxcgm.exe (PID: 1692)
      • lrsomwd.exe (PID: 2780)
      • lxiypak.exe (PID: 1592)

    • Renames files like ransomware

      • lrsomwd.exe (PID: 2780)

    • Actions looks like stealing of personal data

      • lrsomwd.exe (PID: 2780)

    • Create files in the Startup directory

      • lrsomwd.exe (PID: 2780)

    • TESLACRYPT has been detected (SURICATA)

      • msedge.exe (PID: 1040)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe (PID: 1836)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe (PID: 1844)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe (PID: 664)

    • Starts itself from another location

      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe (PID: 1836)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe (PID: 1844)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe (PID: 664)

    • Reads the Internet Settings

      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe (PID: 1836)
      • iloxcgm.exe (PID: 1692)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe (PID: 1844)
      • lrsomwd.exe (PID: 2780)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe (PID: 664)

    • Reads security settings of Internet Explorer

      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe (PID: 1836)
      • iloxcgm.exe (PID: 1692)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe (PID: 1844)
      • lrsomwd.exe (PID: 2780)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe (PID: 664)

    • Starts CMD.EXE for commands execution

      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe (PID: 1836)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe (PID: 1844)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe (PID: 664)

    • Application launched itself

      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe (PID: 1340)
      • lrsomwd.exe (PID: 2484)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe (PID: 952)
      • lxiypak.exe (PID: 920)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2908)

    • Creates files like ransomware instruction

      • lrsomwd.exe (PID: 2780)

    • Checks for external IP

      • lrsomwd.exe (PID: 2780)

  • INFO

    • Checks supported languages

      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe (PID: 1836)
      • wmpnscfg.exe (PID: 1384)
      • iloxcgm.exe (PID: 1692)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe (PID: 1340)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe (PID: 1844)
      • lrsomwd.exe (PID: 2484)
      • lrsomwd.exe (PID: 2780)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe (PID: 952)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe (PID: 664)
      • lxiypak.exe (PID: 920)
      • lxiypak.exe (PID: 1592)

    • Reads the computer name

      • wmpnscfg.exe (PID: 1384)
      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe (PID: 1836)
      • iloxcgm.exe (PID: 1692)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe (PID: 1844)
      • lrsomwd.exe (PID: 2780)
      • lxiypak.exe (PID: 1592)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe (PID: 664)

    • Dropped object may contain TOR URL's

      • WinRAR.exe (PID: 2160)
      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe (PID: 1836)
      • lrsomwd.exe (PID: 2780)

    • Creates files or folders in the user directory

      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe (PID: 1836)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe (PID: 1844)
      • iloxcgm.exe (PID: 1692)
      • lrsomwd.exe (PID: 2780)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe (PID: 664)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2160)

    • Manual execution by a user

      • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe (PID: 1836)
      • E906FA3D51E86A61741B3499145A114E9BFB7C56.exe (PID: 1340)
      • 51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe (PID: 952)
      • notepad.exe (PID: 4072)
      • msedge.exe (PID: 3420)

    • Reads the machine GUID from the registry

      • iloxcgm.exe (PID: 1692)
      • lrsomwd.exe (PID: 2780)

    • Checks proxy server information

      • iloxcgm.exe (PID: 1692)
      • lrsomwd.exe (PID: 2780)

    • Creates files in the program directory

      • lrsomwd.exe (PID: 2780)

    • Application launched itself

      • msedge.exe (PID: 2080)
      • msedge.exe (PID: 2952)
      • msedge.exe (PID: 3420)
      • msedge.exe (PID: 3236)
      • msedge.exe (PID: 3248)
      • msedge.exe (PID: 2852)
      • msedge.exe (PID: 1560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2015:04:08 12:36:46
ZipCRC: 0x85f212e0
ZipCompressedSize: 181367
ZipUncompressedSize: 267278
ZipFileName: E906FA3D51E86A61741B3499145A114E9BFB7C56
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
68
Malicious processes
9
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe iloxcgm.exe cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs e906fa3d51e86a61741b3499145a114e9bfb7c56.exe e906fa3d51e86a61741b3499145a114e9bfb7c56.exe lrsomwd.exe no specs cmd.exe no specs lrsomwd.exe vssadmin.exe no specs 51b4ef5dc9d26b7a26e214cee90598631e2eaa67.exe 51b4ef5dc9d26b7a26e214cee90598631e2eaa67.exe lxiypak.exe no specs cmd.exe no specs lxiypak.exe notepad.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs #TESLACRYPT msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2136 --field-trial-handle=1328,i,9117468034398539465,5554933918803806992,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
548"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6970f598,0x6970f5a8,0x6970f5b4C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
664C:\Users\admin\AppData\Local\Temp\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exeC:\Users\admin\AppData\Local\Temp\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\ransomware.teslacrypt\51b4ef5dc9d26b7a26e214cee90598631e2eaa67.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
920C:\Users\admin\AppData\Roaming\lxiypak.exeC:\Users\admin\AppData\Roaming\lxiypak.exe51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
User:
admin
Integrity Level:
HIGH
Exit code:
12
Modules
Images
c:\users\admin\appdata\roaming\lxiypak.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
948"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2204 --field-trial-handle=1328,i,9117468034398539465,5554933918803806992,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
952"C:\Users\admin\AppData\Local\Temp\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe" C:\Users\admin\AppData\Local\Temp\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
12
Modules
Images
c:\users\admin\appdata\local\temp\ransomware.teslacrypt\51b4ef5dc9d26b7a26e214cee90598631e2eaa67.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1040"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1328,i,9117468034398539465,5554933918803806992,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1340"C:\Users\admin\AppData\Local\Temp\Ransomware.TeslaCrypt\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe" C:\Users\admin\AppData\Local\Temp\Ransomware.TeslaCrypt\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
12
Modules
Images
c:\users\admin\appdata\local\temp\ransomware.teslacrypt\e906fa3d51e86a61741b3499145a114e9bfb7c56.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
1384"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1560"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument http://3kxwjihmkgibht2s.wh47f2as19.com/?enc=1HfWAJVJSo5wERGZfLu4XFxSMivRKXUFJ4C:\Program Files\Microsoft\Edge\Application\msedge.exelrsomwd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
24 410
Read events
24 117
Write events
261
Delete events
32

Modification events

(PID) Process:(2160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2160) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Ransomware.TeslaCrypt.zip
(PID) Process:(2160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
10
Suspicious files
2 136
Text files
887
Unknown types
1 364

Dropped files

PID
Process
Filename
Type
2160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67executable
MD5:6E080AA085293BB9FBDCC9015337D309
SHA256:9B462800F1BEF019D7EC00098682D3EA7FC60E6721555F616399228E4E3AD122
2160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Ransomware.TeslaCrypt\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370executable
MD5:209A288C68207D57E0CE6E60EBF60729
SHA256:3372C1EDAB46837F1E973164FA2D726C5C5E17BCB888828CCD7C4DFCC234A370
1692iloxcgm.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.eccbinary
MD5:364F1D4FEA3B34A42911EC48FB46DCCB
SHA256:3B1921524B7C3E85AA3C4CCAAF1163CAF69D7FFBC0420AD906A307368AA0D96D
1692iloxcgm.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak.eccbinary
MD5:29758163AC4872F64527E3EAED028E02
SHA256:32C19387A7AF97F127083974E03D8FAF0A076E29F9B3CFDBD52ECF51661A6535
1692iloxcgm.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdfbinary
MD5:364F1D4FEA3B34A42911EC48FB46DCCB
SHA256:3B1921524B7C3E85AA3C4CCAAF1163CAF69D7FFBC0420AD906A307368AA0D96D
2160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Ransomware.TeslaCrypt\E906FA3D51E86A61741B3499145A114E9BFB7C56executable
MD5:6D3D62A4CFF19B4F2CC7CE9027C33BE8
SHA256:AFABA2400552C7032A5C4C6E6151DF374D0E98DC67204066281E30E6699DBD18
1692iloxcgm.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txtbinary
MD5:94D2966DEF84A0409A1431A336AF2842
SHA256:01953C7ECF5786C74FF8F2D17856E8640A5C835D744198FA83D8C6B34E462F0B
1692iloxcgm.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt.eccbinary
MD5:84E8B4D1A4DBE79D02FEA1AAD0997BCC
SHA256:2821D228F13BBA5F002D856A7AD2077F124F267B969BC4792339A0042B36759F
1692iloxcgm.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pakbinary
MD5:EDE24F1DB3562F206638362919A303C0
SHA256:A38B140E14C00C4C9D1D8C0ED48F4EEC3804737E05A1A23B4D6FE1678FC82B77
1692iloxcgm.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txtbinary
MD5:84E8B4D1A4DBE79D02FEA1AAD0997BCC
SHA256:2821D228F13BBA5F002D856A7AD2077F124F267B969BC4792339A0042B36759F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
54
DNS requests
144
Threats
66

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2780
lrsomwd.exe
GET
403
34.117.186.192:80
http://ipinfo.io/ip
unknown
html
297 b
unknown
1040
msedge.exe
GET
301
88.208.3.194:80
http://thisvid.com/
unknown
html
162 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1692
iloxcgm.exe
103.198.0.111:443
7tno4hib47vlep5o.tor2web.org
unknown
2780
lrsomwd.exe
34.117.186.192:80
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
unknown
3420
msedge.exe
239.255.255.250:1900
unknown
1040
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1040
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1040
msedge.exe
88.221.221.115:443
www.bing.com
Akamai International B.V.
DE
unknown
3420
msedge.exe
224.0.0.251:5353
unknown

DNS requests

Domain
IP
Reputation
7tno4hib47vlep5o.tor2web.org
  • 103.198.0.111
malicious
7tno4hib47vlep5o.tor2web.blutmagie.de
unknown
7tno4hib47vlep5o.tor2web.fi
unknown
ipinfo.io
  • 34.117.186.192
shared
epmhyca5ol6plmx3.wh47f2as19.com
unknown
7tno4hib47vlep5o.7hwr34n18.com
unknown
epmhyca5ol6plmx3.tor2web.blutmagie.de
unknown
epmhyca5ol6plmx3.tor2web.fi
unknown
3kxwjihmkgibht2s.wh47f2as19.com
unknown
edge.microsoft.com
  • 204.79.197.239
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
A Network Trojan was detected
ET MALWARE Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o)
1080
svchost.exe
A Network Trojan was detected
ET MALWARE Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o)
1080
svchost.exe
A Network Trojan was detected
ET MALWARE Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o)
2780
lrsomwd.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ipinfo.io
1080
svchost.exe
A Network Trojan was detected
ET MALWARE Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3)
1080
svchost.exe
A Network Trojan was detected
ET MALWARE Win32/Teslacrypt Ransomware .onion domain (wh47f2as19.com)
1080
svchost.exe
A Network Trojan was detected
ET MALWARE Win32/Teslacrypt Ransomware .onion domain (7hwr34n18.com)
1080
svchost.exe
A Network Trojan was detected
ET MALWARE Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o)
1080
svchost.exe
A Network Trojan was detected
ET MALWARE Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3)
1080
svchost.exe
A Network Trojan was detected
ET MALWARE Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3)
28 ETPRO signatures available at the full report
Process
Message
msedge.exe
[0228/201008.357:ERROR:exception_handler_server.cc(527)] ConnectNamedPipe: The pipe is being closed. (0xE8)
msedge.exe
[0228/201013.586:ERROR:exception_handler_server.cc(527)] ConnectNamedPipe: The pipe is being closed. (0xE8)
msedge.exe
[0228/201016.545:ERROR:exception_handler_server.cc(527)] ConnectNamedPipe: The pipe is being closed. (0xE8)
msedge.exe
[0228/201024.755:ERROR:exception_handler_server.cc(527)] ConnectNamedPipe: The pipe is being closed. (0xE8)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Ransomware.TeslaCrypt.zip