File name:

HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.7z

Full analysis: https://app.any.run/tasks/373c463f-d51c-44fe-963a-e816a30a014c
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 21:37:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
ransomware
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

4113A78694CE580131A68E5E537C56D1

SHA1:

0DDADB9F9CD63FCE4A684D2964708B9D8BCDB23C

SHA256:

4C9CA56DAB61770604CF0302F10520DA58FDEC1653AE13C061424D21B08E6E1B

SSDEEP:

1536:szX9NsDXvEO8kkk9fJbg2FaROJCGjVbFftZyiaosgG4ZXfFnNP:szX9NoE1k1W2FaRgCGjVBLyirsvyPjP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe (PID: 2320)

    • Generic archive extractor

      • WinRAR.exe (PID: 6044)

    • RANSOMWARE has been detected

      • HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe (PID: 2320)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 896)
      • cmd.exe (PID: 4024)

    • Renames files like ransomware

      • HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe (PID: 2320)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe (PID: 2320)

    • Starts CMD.EXE for commands execution

      • HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe (PID: 2320)

    • Creates file in the systems drive root

      • HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe (PID: 2320)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4120)

    • Executable content was dropped or overwritten

      • HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe (PID: 2320)

  • INFO

    • Reads the computer name

      • HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe (PID: 2320)

    • Manual execution by a user

      • HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe (PID: 2320)

    • Checks supported languages

      • HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe (PID: 2320)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6044)

    • Process checks computer location settings

      • HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe (PID: 2320)

    • Reads the machine GUID from the registry

      • HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe (PID: 2320)

    • Creates files in the program directory

      • HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe (PID: 2320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2021:06:28 12:14:22+00:00
ArchivedFileName: HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
15
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe THREAT heur-trojan-ransom.win32.generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe conhost.exe no specs vssadmin.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
728bcdedit /set {current} recoveryenabled noC:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptsp.dll
896"C:\WINDOWS\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailuresC:\Windows\System32\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1072"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msxml6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\webio.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winnsi.dll
1164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exevssadmin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1196C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2320"C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe" C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\heur-trojan-ransom.win32.generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4024"C:\WINDOWS\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled noC:\Windows\System32\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4120C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 918
Read events
2 865
Write events
35
Delete events
18

Modification events

(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.7z
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6044) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
101
Suspicious files
24 950
Text files
2 970
Unknown types
126

Dropped files

PID
Process
Filename
Type
2320HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exeC:\bootTel.dat.tohnichitext
MD5:BB959DE861542887926D9D4BB6D1E114
SHA256:3490967998D5BC71260211B855B5E3A7EB7EC135F7A56A0E3F095EBB13103647
2320HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exeC:\$Recycle.Bin\How to decrypt files.txttext
MD5:E473EEFDB7F5A9158F6C90D3D49A0617
SHA256:309362B42C56FEB9E5F3B259CB8E5138770EEB6EEFCE00DA08EFCD5A295D174E
2320HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exeC:\found.000\How to decrypt files.txttext
MD5:E473EEFDB7F5A9158F6C90D3D49A0617
SHA256:309362B42C56FEB9E5F3B259CB8E5138770EEB6EEFCE00DA08EFCD5A295D174E
2320HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exeC:\found.000\dir0000.chk\How to decrypt files.txttext
MD5:E473EEFDB7F5A9158F6C90D3D49A0617
SHA256:309362B42C56FEB9E5F3B259CB8E5138770EEB6EEFCE00DA08EFCD5A295D174E
2320HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exeC:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tohnichibinary
MD5:7AA3CAAA1837B64EE506B07F362B190A
SHA256:799FFC2CA3FEE4956C604B5E7BDC3A7DB4D10979541B339D3F86134DA13212A4
2320HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.037.etl.tohnichibinary
MD5:434B5CF7988B065ACB1D635D6A23DD81
SHA256:90C55D9CE808235D80D314634B8AFD2660FFE3B378C3D64ED13B80EFC3504C40
2320HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.016.etlbinary
MD5:ED56FEBA031CE92A554D5F0AE41FE8F6
SHA256:6212C50F1928C07CE094D58D36CAAC0AE3770F19BA9ECB4A22736F8935B58A96
2320HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exeC:\found.000\file00000000.chk.tohnichibinary
MD5:6CD0E4B0B9D2ABF44D821D3C58AB9F4C
SHA256:2E5516A64094B89512C5924C6AAA54A130F6D792C6E22BC4D8EC9861CC5DDE96
2320HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exeC:\found.000\file00000000.chkbinary
MD5:6CD0E4B0B9D2ABF44D821D3C58AB9F4C
SHA256:2E5516A64094B89512C5924C6AAA54A130F6D792C6E22BC4D8EC9861CC5DDE96
2320HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exeC:\found.000\dir0000.chk\UpdateSessionOrchestration.037.etlbinary
MD5:434B5CF7988B065ACB1D635D6A23DD81
SHA256:90C55D9CE808235D80D314634B8AFD2660FFE3B378C3D64ED13B80EFC3504C40
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
25
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5256
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5256
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.138
  • 20.190.160.67
  • 40.126.32.74
  • 20.190.160.14
  • 20.190.160.66
  • 40.126.32.72
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
HEUR-Trojan-Ransom.Win32.Generic-863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.7z