File name:

660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe

Full analysis: https://app.any.run/tasks/7baa6e82-99fc-46e3-874b-f3ca0cde71ac
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 21:33:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loki
ransomware
evasion
confuser
netreactor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

8741252D2876A50E9E7F9FA615605C58

SHA1:

2E19BE85AE7B689D2B538F14F2140817F369B41B

SHA256:

660BD81C72D9E6A75F9802D28C592B76823C4A0AEA8E9CCAC98B35B9BC5E8B8A

SSDEEP:

24576:0Ah1CvF4FzPlSgP8crWTEAPNagQfVHyCSsbT:0Ah1CvF4FzPlSgP8crWTEAPNagQfVHyK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LOKI has been detected

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Create files in the Startup directory

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 7644)

    • Starts Visual C# compiler

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Deletes shadow copies

      • cmd.exe (PID: 7224)

    • Disables Windows Defender

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • RANSOMWARE has been detected

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Executable content was dropped or overwritten

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)
      • csc.exe (PID: 7732)
      • csc.exe (PID: 8024)

    • Uses .NET C# to load dll

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Reads security settings of Internet Explorer

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • ShellExperienceHost.exe (PID: 6112)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Application launched itself

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 2140)
      • cmd.exe (PID: 7200)

    • Executes as Windows Service

      • VSSVC.exe (PID: 680)

    • Starts POWERSHELL.EXE for commands execution

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Filtering the input of cmdlet (POWERSHELL)

      • powershell.exe (PID: 7228)

    • Uses pipe srvsvc via SMB (transferring data)

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Creates file in the systems drive root

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Write to the desktop.ini file (may be used to cloak folders)

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • There is functionality for taking screenshot (YARA)

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

  • INFO

    • Creates files or folders in the user directory

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)

    • Reads the computer name

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)
      • ShellExperienceHost.exe (PID: 6112)

    • Checks supported languages

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • csc.exe (PID: 7732)
      • cvtres.exe (PID: 7792)
      • csc.exe (PID: 8024)
      • cvtres.exe (PID: 8100)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)
      • ShellExperienceHost.exe (PID: 6112)

    • Process checks computer location settings

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Creates files in the program directory

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • csc.exe (PID: 7732)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)
      • csc.exe (PID: 8024)

    • Failed to create an executable file in Windows directory

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)

    • Reads the machine GUID from the registry

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • csc.exe (PID: 7732)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)
      • csc.exe (PID: 8024)

    • Create files in a temporary directory

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • cvtres.exe (PID: 7792)
      • cvtres.exe (PID: 8100)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7052)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7228)

    • Confuser has been detected (YARA)

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Disables trace logs

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Checks proxy server information

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • .NET Reactor protector has been detected

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:07:13 22:47:16+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 104448
InitializedDataSize: 426496
UninitializedDataSize: -
EntryPoint: 0xcd2f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft
FileDescription: svchost
FileVersion: 1.0.0.0
InternalName: svchost.exe
LegalCopyright: Copyright © 2021
LegalTrademarks: -
OriginalFileName: svchost.exe
ProductName: svchost
ProductVersion: 1.0.0.0
AssemblyVersion: 1.2.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
42
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LOKI 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe cmd.exe conhost.exe no specs schtasks.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs sppextcomobj.exe no specs #LOKI 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe slui.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs wmic.exe no specs SPPSurrogate no specs vssvc.exe no specs powershell.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs shellexperiencehost.exe no specs ucpdmgr.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
680C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1672netsh firewall set opmode mode=disableC:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2140"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state offC:\Windows\SysWOW64\cmd.exe660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4892\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5024"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\SysWOW64\cmd.exe660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5344C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
5376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5544netsh advfirewall set currentprofile state offC:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
14 750
Read events
14 675
Write events
75
Delete events
0

Modification events

(PID) Process:(7516) 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Invoke
Operation:writeName:Michael Gillespie
Value:
C:\ProgramData\winlogon.exe
(PID) Process:(7516) 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
114
(PID) Process:(7904) 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Invoke
Operation:writeName:Michael Gillespie
Value:
C:\WINDOWS\winlogon.exe
(PID) Process:(5344) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000005AC7F213E1C5DB01E014000058120000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5344) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000020994814E1C5DB01E014000058120000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5344) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000020994814E1C5DB01E014000058120000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5344) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000B7FC4A14E1C5DB01E014000058120000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5344) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000A58A5414E1C5DB01E014000058120000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5344) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000A58A5414E1C5DB01E014000058120000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5344) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000A58A5414E1C5DB01E014000058120000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
9
Suspicious files
554
Text files
152
Unknown types
0

Dropped files

PID
Process
Filename
Type
7516660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exeexecutable
MD5:8741252D2876A50E9E7F9FA615605C58
SHA256:660BD81C72D9E6A75F9802D28C592B76823C4A0AEA8E9CCAC98B35B9BC5E8B8A
7516660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\Users\admin\AppData\Roaming\winlogon.exeexecutable
MD5:8741252D2876A50E9E7F9FA615605C58
SHA256:660BD81C72D9E6A75F9802D28C592B76823C4A0AEA8E9CCAC98B35B9BC5E8B8A
7516660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\Users\admin\AppData\Local\Temp\jzyvgpnv.icoimage
MD5:8C9A5448905C6AD6F5A15AD8F102FA56
SHA256:FC65491D373C30593F9EF53D83959625DC384BC42D551AA77A666D4E9B538104
7516660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\Users\admin\AppData\Local\Temp\3xba330p.cmdlinetext
MD5:003689C42633C1213B8792B82241A145
SHA256:261E96B3DCA81F2D8BE5D73492E89C924DAC872C986E737BFFE2469A6E45652B
7516660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\Users\admin\AppData\Local\Temp\3xba330p.0.cstext
MD5:612523F6C701618344942D5284820438
SHA256:7605A9B81576D122F67584617EC3619EEBDE41E68EDCF47AA8D4C0AE6A828C05
7732csc.exeC:\Users\admin\AppData\Local\Temp\3xba330p.outtext
MD5:F887C351C5D860CE49F838060F644843
SHA256:A8D1C71AB5FD3DA95E19B0A4283912FE5F55424C45381B1CCBF5DC3A67DBA971
7516660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\ProgramData\winlogon.exeexecutable
MD5:8741252D2876A50E9E7F9FA615605C58
SHA256:660BD81C72D9E6A75F9802D28C592B76823C4A0AEA8E9CCAC98B35B9BC5E8B8A
7732csc.exeC:\ProgramData\CSC1334E318BE7140898EC8A39903882FC.TMPbinary
MD5:BA1F2AF085EBD9C30C55E6CA4B67C275
SHA256:9C2ACA930F35C19242FA880786D9338F8BA63C96AE41DDC20E29B76E51EEDB3E
7516660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.battext
MD5:3FC537B642D3756646715325299C6367
SHA256:708511C356493E41CA103DB51B8DF3FB57898DDB2BB7CF4F11560FACDE9425ED
7732csc.exeC:\ProgramData\lc3iiehf.exeexecutable
MD5:F22F14870EDF2CC5CCE6E7F991F6DE86
SHA256:8CEBB54BFEEB1B9D9996A3E2AA4589336561FA60CA2EF27520E3D41644627E70
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
53
DNS requests
15
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.25.54.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.25.54.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8704
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7904
660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
8704
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
184.25.54.100:80
www.microsoft.com
Telgua
SV
whitelisted
184.25.54.100:80
www.microsoft.com
Telgua
SV
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2292
svchost.exe
239.255.255.250:3702
whitelisted
3812
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 184.25.54.100
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.64
  • 40.126.31.3
  • 20.190.159.71
  • 40.126.31.130
  • 20.190.159.68
  • 40.126.31.73
  • 20.190.159.75
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
go.microsoft.com
  • 95.100.186.9
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
7904
660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe