File name:

HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.7z

Full analysis: https://app.any.run/tasks/7398e195-f220-4987-b5b1-528e91b10243
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 08, 2025, 15:20:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
arch-exec
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

BA0BBE843998DBF22341E1A2F68FE810

SHA1:

FBFD9A569C568361CC1BEC2E5DF294BB5FDC271F

SHA256:

726841B2D8B31DC3EAE2A8305C6984DC607442A40F8DED03BCE9208EEACF743C

SSDEEP:

98304:NEGc49LJ/XSlYB1AbGDNvv8V2mXSZJEepz3vNooJYQWi63GrFCaGrQn7IuQxc/Ev:y+2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • svchost.exe (PID: 7664)

    • Renames files like ransomware

      • svchost.exe (PID: 7664)

    • RANSOMWARE has been detected

      • svchost.exe (PID: 7664)

    • Deletes shadow copies

      • cmd.exe (PID: 5260)
      • cmd.exe (PID: 6652)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 7316)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • svchost.exe (PID: 7664)

    • Executable content was dropped or overwritten

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)
      • seop.exe (PID: 3020)
      • startup.exe (PID: 7328)
      • startup.exe (PID: 7892)

    • Reads security settings of Internet Explorer

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • startup.exe (PID: 2140)
      • seop.exe (PID: 3020)
      • svchost.exe (PID: 7664)
      • setup_ui.exe (PID: 7796)
      • startup.exe (PID: 7892)

    • Reads Microsoft Outlook installation path

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)

    • Executing commands from a ".bat" file

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 5408)

    • The process creates files with name similar to system file names

      • seop.exe (PID: 3020)

    • Starts itself from another location

      • seop.exe (PID: 3020)
      • startup.exe (PID: 7328)

    • Adds/modifies Windows certificates

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)

    • Application launched itself

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)

    • Reads the date of Windows installation

      • svchost.exe (PID: 7664)

    • Write to the desktop.ini file (may be used to cloak folders)

      • svchost.exe (PID: 7664)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7992)
      • wbengine.exe (PID: 6988)
      • vds.exe (PID: 672)

    • Start notepad (likely ransomware note)

      • svchost.exe (PID: 7664)

    • The process verifies whether the antivirus software is installed

      • startup.exe (PID: 7892)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7324)

    • The sample compiled with english language support

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • WinRAR.exe (PID: 7324)
      • startup.exe (PID: 2140)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 7328)
      • startup.exe (PID: 7892)

    • Manual execution by a user

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • notepad.exe (PID: 6036)

    • Creates files or folders in the user directory

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • seop.exe (PID: 3020)
      • svchost.exe (PID: 7664)

    • Create files in a temporary directory

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • NSIS Quick Setup Script Generator.exe (PID: 900)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)
      • startup.exe (PID: 7892)

    • Reads the computer name

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • seop.exe (PID: 3020)
      • NSIS Quick Setup Script Generator.exe (PID: 900)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 7328)
      • startup.exe (PID: 7892)
      • svchost.exe (PID: 7664)
      • setup_ui.exe (PID: 7796)

    • Checks supported languages

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • seop.exe (PID: 3020)
      • NSIS Quick Setup Script Generator.exe (PID: 900)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)
      • svchost.exe (PID: 7664)
      • ks4.021.3.10.391ru_25000.exe (PID: 7580)
      • startup.exe (PID: 7328)
      • startup.exe (PID: 7892)
      • startup.exe (PID: 7844)
      • setup_ui.exe (PID: 7796)

    • Checks proxy server information

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)
      • startup.exe (PID: 7892)

    • Process checks computer location settings

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • svchost.exe (PID: 7664)

    • Reads the software policy settings

      • startup.exe (PID: 2140)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 7892)

    • Checks for the presence of KasperskyLab

      • startup.exe (PID: 2140)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 7892)

    • Reads the machine GUID from the registry

      • startup.exe (PID: 2140)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • svchost.exe (PID: 7664)
      • setup_ui.exe (PID: 7796)
      • startup.exe (PID: 7892)

    • Creates files in the program directory

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)
      • startup.exe (PID: 7892)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6392)
      • notepad.exe (PID: 6036)
      • notepad.exe (PID: 7808)

    • Process checks whether UAC notifications are on

      • startup.exe (PID: 7892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2021:07:20 12:03:50+00:00
ArchivedFileName: HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
34
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe heur-trojan-ransom.msil.agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe ks4.021.3.10.391ru_25000.exe seop.exe nsis quick setup script generator.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs startup.exe THREAT svchost.exe ks4.021.3.10.391ru_25000.exe no specs startup.exe startup.exe startup.exe no specs setup_ui.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs vssvc.exe no specs wmic.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs bcdedit.exe no specs cmd.exe no specs conhost.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672C:\WINDOWS\System32\vds.exeC:\Windows\System32\vds.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vds.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
900"C:\Users\admin\AppData\Roaming\NSIS Quick Setup Script Generator.exe" C:\Users\admin\AppData\Roaming\NSIS Quick Setup Script Generator.exeHEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe
User:
admin
Company:
Red Wine (red_wine@freemail.gr)
Integrity Level:
HIGH
Description:
NSIS Quick Setup Script Generator
Exit code:
2
Version:
1.09.18
Modules
Images
c:\users\admin\appdata\roaming\nsis quick setup script generator.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1012\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2140"C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.3.10.391.0.2521.0\au_setup_120C5CFA-148D-11F0-B4ED-18F7786F96EE\startup.exe" -auto_update_mode="C:\Users\admin\AppData\Roaming\ks4.021.3.10.391ru_25000.exe" /-self_remove -l=ru-RU -xpos=346 -ypos=71 -prevsetupver=21.3.10.391.0.2.0C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.3.10.391.0.2521.0\au_setup_120C5CFA-148D-11F0-B4ED-18F7786F96EE\startup.exe
ks4.021.3.10.391ru_25000.exe
User:
admin
Company:
Лаборатория Касперского
Integrity Level:
HIGH
Description:
Kaspersky Security Cloud [21.3.10.391.0.2521.0 (a.b.c.d.e.f.g.h.i.j.k.l)]
Exit code:
0
Version:
21.3.10.391
Modules
Images
c:\programdata\kaspersky lab setup files\saas21.3.10.391.0.2521.0\au_setup_120c5cfa-148d-11f0-b4ed-18f7786f96ee\startup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\dbghelp.dll
3020"C:\Users\admin\AppData\Roaming\seop.exe" C:\Users\admin\AppData\Roaming\seop.exe
HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
1
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\seop.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5260"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteC:\Windows\System32\cmd.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5408C:\WINDOWS\system32\cmd.exe /c C:\Users\admin\AppData\Roaming\helper.batC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5680taskkill /f /im HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exeC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
22 073
Read events
21 880
Write events
164
Delete events
29

Modification events

(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.7z
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
30
Suspicious files
40
Text files
218
Unknown types
0

Dropped files

PID
Process
Filename
Type
7324WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb7324.45652\HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exeexecutable
MD5:9FBE0C531FFC2D9BAAE44ED976CB6110
SHA256:0116BE16799FBB28FA02B11C04F3C000A37B61189ADE629EB9513429905DEF5B
8104HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exeC:\Users\admin\AppData\Roaming\seop.exeexecutable
MD5:3AB9A19EA7ED2D9297CD999810745940
SHA256:583063845ACC5C46D05319E97F29660E88EFCF32F81990252FBDDD6420318B5D
8104HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exeC:\Users\admin\AppData\Roaming\helper.battext
MD5:68818C233D321E2CBAD5D0E1CBEA3D36
SHA256:4B1DB4D67FC7F19B89647F26331BEA8D2BA78B39EFD9A58E7DDB33E4579D3730
8104HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exeC:\Users\admin\AppData\Roaming\ks4.021.3.10.391ru_25000.exeexecutable
MD5:65B1F62ED862801391998F2452A310DA
SHA256:4A552FA623EFA3975B49E054451F1E5C259FAEB475054D67E0C24559CAA13526
8104HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exeC:\Users\admin\AppData\Local\Temp\nszE7E3.tmp\nsExec.dllexecutable
MD5:4C77A65BB121BB7F2910C1FA3CB38337
SHA256:5E66489393F159AA0FD30B630BB345D03418E9324E7D834B2E4195865A637CFE
8104HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exeC:\Users\admin\AppData\Roaming\selfdelete.battext
MD5:04CEA8A2208BFFB290C06EE19568C1AB
SHA256:5FE727E2286E27C145D4D3A502AD26D6109F742AF6E3083FAE4C8FD7099ECE52
8104HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exeC:\Users\admin\AppData\Roaming\NSIS Quick Setup Script Generator.exeexecutable
MD5:E7EAF7358ACCD0BE1AF8B8B1FE1842C3
SHA256:4CD5F0EBB5DF687EDBC0A08346241893FA4F2365F102D3D08060DACE185DD11B
7184ks4.021.3.10.391ru_25000.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:B71CCDA6F724D996B0A12871116B9764
SHA256:FAF303D04579C9C8D913D9810EE317042894D92716E4FCDD6E48934093AC66D0
7184ks4.021.3.10.391ru_25000.exeC:\Users\admin\AppData\Local\Temp\120C5CF9-148D-11F0-B4ED-18F7786F96EE\check_new_version.htmlhtml
MD5:9AF2C477FBA1D977E399E9982ECE8590
SHA256:2FAA7DC6E90B4826C416FC6D462EDA0CD85DAB4E3FD68FC3563D0BBDF53B16DC
7184ks4.021.3.10.391ru_25000.exeC:\Users\admin\AppData\Local\Temp\120C5CF9-148D-11F0-B4ED-18F7786F96EE\kis-script.jsbinary
MD5:026425CCBF4417EEFA444285707132EF
SHA256:97E5F342227EA23C27C1B660F111847FCDD9D7B23C1D248C733A36F983FD7F04
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
33
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7184
ks4.021.3.10.391ru_25000.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
6372
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6372
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7184
ks4.021.3.10.391ru_25000.exe
46.8.206.115:443
dm.s.kaspersky-labs.com
Solucions Valencianes i Noves Tecnologies SL
ES
suspicious

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.216.77.36
  • 23.216.77.37
  • 23.216.77.8
  • 23.216.77.28
  • 23.216.77.34
  • 23.216.77.7
  • 23.216.77.43
  • 23.216.77.10
  • 23.216.77.38
whitelisted
google.com
  • 142.250.185.110
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.65
  • 40.126.32.134
  • 20.190.160.64
  • 20.190.160.132
  • 40.126.32.138
  • 40.126.32.133
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
dm.s.kaspersky-labs.com
  • 46.8.206.115
  • 80.231.123.135
  • 195.122.169.10
unknown
ds.kaspersky.com
  • 82.202.184.193
  • 46.8.206.90
  • 82.202.185.146
  • 62.67.238.151
  • 81.19.104.172
  • 62.67.238.152
  • 82.202.184.184
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.7z