File name:

660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe

Full analysis: https://app.any.run/tasks/7baa6e82-99fc-46e3-874b-f3ca0cde71ac
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 21:33:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loki
ransomware
evasion
confuser
netreactor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

8741252D2876A50E9E7F9FA615605C58

SHA1:

2E19BE85AE7B689D2B538F14F2140817F369B41B

SHA256:

660BD81C72D9E6A75F9802D28C592B76823C4A0AEA8E9CCAC98B35B9BC5E8B8A

SSDEEP:

24576:0Ah1CvF4FzPlSgP8crWTEAPNagQfVHyCSsbT:0Ah1CvF4FzPlSgP8crWTEAPNagQfVHyK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LOKI has been detected

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Create files in the Startup directory

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 7644)

    • Starts Visual C# compiler

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Deletes shadow copies

      • cmd.exe (PID: 7224)

    • Disables Windows Defender

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • RANSOMWARE has been detected

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • csc.exe (PID: 7732)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)
      • csc.exe (PID: 8024)

    • Starts CMD.EXE for commands execution

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Uses .NET C# to load dll

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Reads security settings of Internet Explorer

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • ShellExperienceHost.exe (PID: 6112)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Application launched itself

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 2140)
      • cmd.exe (PID: 7200)

    • Executes as Windows Service

      • VSSVC.exe (PID: 680)

    • Filtering the input of cmdlet (POWERSHELL)

      • powershell.exe (PID: 7228)

    • Starts POWERSHELL.EXE for commands execution

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Uses pipe srvsvc via SMB (transferring data)

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Checks for external IP

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)
      • svchost.exe (PID: 2196)

    • Creates file in the systems drive root

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Write to the desktop.ini file (may be used to cloak folders)

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • There is functionality for taking screenshot (YARA)

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

  • INFO

    • Reads the computer name

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)
      • ShellExperienceHost.exe (PID: 6112)

    • Creates files in the program directory

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • csc.exe (PID: 7732)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)
      • csc.exe (PID: 8024)

    • Process checks computer location settings

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Creates files or folders in the user directory

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)

    • Checks supported languages

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • csc.exe (PID: 7732)
      • cvtres.exe (PID: 7792)
      • csc.exe (PID: 8024)
      • cvtres.exe (PID: 8100)
      • ShellExperienceHost.exe (PID: 6112)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Failed to create an executable file in Windows directory

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)

    • Create files in a temporary directory

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • cvtres.exe (PID: 7792)
      • cvtres.exe (PID: 8100)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Reads the machine GUID from the registry

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7516)
      • csc.exe (PID: 7732)
      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)
      • csc.exe (PID: 8024)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7052)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7228)

    • .NET Reactor protector has been detected

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Confuser has been detected (YARA)

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Disables trace logs

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)

    • Checks proxy server information

      • 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe (PID: 7904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:07:13 22:47:16+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 104448
InitializedDataSize: 426496
UninitializedDataSize: -
EntryPoint: 0xcd2f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft
FileDescription: svchost
FileVersion: 1.0.0.0
InternalName: svchost.exe
LegalCopyright: Copyright © 2021
LegalTrademarks: -
OriginalFileName: svchost.exe
ProductName: svchost
ProductVersion: 1.0.0.0
AssemblyVersion: 1.2.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
42
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LOKI 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe cmd.exe conhost.exe no specs schtasks.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs sppextcomobj.exe no specs #LOKI 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe slui.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs netsh.exe no specs wmic.exe no specs SPPSurrogate no specs vssvc.exe no specs powershell.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs shellexperiencehost.exe no specs ucpdmgr.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
680C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1672netsh firewall set opmode mode=disableC:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2140"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state offC:\Windows\SysWOW64\cmd.exe660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4892\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5024"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\SysWOW64\cmd.exe660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5344C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
5376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5544netsh advfirewall set currentprofile state offC:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
14 750
Read events
14 675
Write events
75
Delete events
0

Modification events

(PID) Process:(7516) 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Invoke
Operation:writeName:Michael Gillespie
Value:
C:\ProgramData\winlogon.exe
(PID) Process:(7516) 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:GlobalAssocChangedCounter
Value:
114
(PID) Process:(7904) 660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Invoke
Operation:writeName:Michael Gillespie
Value:
C:\WINDOWS\winlogon.exe
(PID) Process:(5344) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000005AC7F213E1C5DB01E014000058120000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5344) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000020994814E1C5DB01E014000058120000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5344) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000020994814E1C5DB01E014000058120000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5344) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000B7FC4A14E1C5DB01E014000058120000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5344) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000A58A5414E1C5DB01E014000058120000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5344) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000A58A5414E1C5DB01E014000058120000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5344) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000A58A5414E1C5DB01E014000058120000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
9
Suspicious files
554
Text files
152
Unknown types
0

Dropped files

PID
Process
Filename
Type
7516660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\Users\admin\AppData\Roaming\winlogon.exeexecutable
MD5:8741252D2876A50E9E7F9FA615605C58
SHA256:660BD81C72D9E6A75F9802D28C592B76823C4A0AEA8E9CCAC98B35B9BC5E8B8A
7516660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exeexecutable
MD5:8741252D2876A50E9E7F9FA615605C58
SHA256:660BD81C72D9E6A75F9802D28C592B76823C4A0AEA8E9CCAC98B35B9BC5E8B8A
7516660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\ProgramData\winlogon.exeexecutable
MD5:8741252D2876A50E9E7F9FA615605C58
SHA256:660BD81C72D9E6A75F9802D28C592B76823C4A0AEA8E9CCAC98B35B9BC5E8B8A
7904660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\Users\admin\AppData\Local\Temp\fduo3g5k\fduo3g5k.cmdlinetext
MD5:714D164592F4E8C01D805868A0653E2B
SHA256:B88948028A5B4F8FC05413E61D6B0C9D6521FE63C37DBFE8AE82B97FF48ABC7B
7904660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\Users\admin\AppData\Local\Temp\fduo3g5k\fduo3g5k.0.cstext
MD5:612523F6C701618344942D5284820438
SHA256:7605A9B81576D122F67584617EC3619EEBDE41E68EDCF47AA8D4C0AE6A828C05
7516660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\Users\admin\AppData\Local\Temp\3xba330p.0.cstext
MD5:612523F6C701618344942D5284820438
SHA256:7605A9B81576D122F67584617EC3619EEBDE41E68EDCF47AA8D4C0AE6A828C05
7516660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.battext
MD5:3FC537B642D3756646715325299C6367
SHA256:708511C356493E41CA103DB51B8DF3FB57898DDB2BB7CF4F11560FACDE9425ED
7732csc.exeC:\ProgramData\CSC1334E318BE7140898EC8A39903882FC.TMPbinary
MD5:BA1F2AF085EBD9C30C55E6CA4B67C275
SHA256:9C2ACA930F35C19242FA880786D9338F8BA63C96AE41DDC20E29B76E51EEDB3E
7792cvtres.exeC:\Users\admin\AppData\Local\Temp\RESC97C.tmpbinary
MD5:05D10F4774D6A8EE72E2B0902D8BAAF7
SHA256:09388E3448B4B552E2475240D95FF9028416F161A3C43E6CCC2F2D02B50F513F
7904660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exeC:\Windows\winlogon.exeexecutable
MD5:8741252D2876A50E9E7F9FA615605C58
SHA256:660BD81C72D9E6A75F9802D28C592B76823C4A0AEA8E9CCAC98B35B9BC5E8B8A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
53
DNS requests
15
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.25.54.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.25.54.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8704
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8704
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7904
660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
184.25.54.100:80
www.microsoft.com
Telgua
SV
whitelisted
184.25.54.100:80
www.microsoft.com
Telgua
SV
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2292
svchost.exe
239.255.255.250:3702
whitelisted
3812
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 184.25.54.100
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.64
  • 40.126.31.3
  • 20.190.159.71
  • 40.126.31.130
  • 20.190.159.68
  • 40.126.31.73
  • 20.190.159.75
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
go.microsoft.com
  • 95.100.186.9
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
7904
660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
660bd81c72d9e6a75f9802d28c592b76823c4a0aea8e9ccac98b35b9bc5e8b8a.exe