File name:

HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.7z

Full analysis: https://app.any.run/tasks/7398e195-f220-4987-b5b1-528e91b10243
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 08, 2025, 15:20:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
arch-exec
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

BA0BBE843998DBF22341E1A2F68FE810

SHA1:

FBFD9A569C568361CC1BEC2E5DF294BB5FDC271F

SHA256:

726841B2D8B31DC3EAE2A8305C6984DC607442A40F8DED03BCE9208EEACF743C

SSDEEP:

98304:NEGc49LJ/XSlYB1AbGDNvv8V2mXSZJEepz3vNooJYQWi63GrFCaGrQn7IuQxc/Ev:y+2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • svchost.exe (PID: 7664)

    • Renames files like ransomware

      • svchost.exe (PID: 7664)

    • RANSOMWARE has been detected

      • svchost.exe (PID: 7664)

    • Deletes shadow copies

      • cmd.exe (PID: 5260)
      • cmd.exe (PID: 6652)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 7316)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)
      • seop.exe (PID: 3020)
      • startup.exe (PID: 7328)
      • startup.exe (PID: 7892)

    • Reads security settings of Internet Explorer

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)
      • seop.exe (PID: 3020)
      • startup.exe (PID: 7892)
      • svchost.exe (PID: 7664)
      • setup_ui.exe (PID: 7796)

    • Starts CMD.EXE for commands execution

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • svchost.exe (PID: 7664)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 5408)

    • Reads Microsoft Outlook installation path

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)

    • Executing commands from a ".bat" file

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)

    • Adds/modifies Windows certificates

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)

    • The process creates files with name similar to system file names

      • seop.exe (PID: 3020)

    • Starts itself from another location

      • seop.exe (PID: 3020)
      • startup.exe (PID: 7328)

    • Application launched itself

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)

    • Write to the desktop.ini file (may be used to cloak folders)

      • svchost.exe (PID: 7664)

    • Reads the date of Windows installation

      • svchost.exe (PID: 7664)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7992)
      • wbengine.exe (PID: 6988)
      • vds.exe (PID: 672)

    • Start notepad (likely ransomware note)

      • svchost.exe (PID: 7664)

    • The process verifies whether the antivirus software is installed

      • startup.exe (PID: 7892)

  • INFO

    • Create files in a temporary directory

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • NSIS Quick Setup Script Generator.exe (PID: 900)
      • startup.exe (PID: 2140)
      • startup.exe (PID: 7892)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7324)

    • Process checks computer location settings

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • svchost.exe (PID: 7664)

    • The sample compiled with english language support

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • WinRAR.exe (PID: 7324)
      • startup.exe (PID: 2140)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 7328)
      • startup.exe (PID: 7892)

    • Manual execution by a user

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • notepad.exe (PID: 6036)

    • Checks supported languages

      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • seop.exe (PID: 3020)
      • NSIS Quick Setup Script Generator.exe (PID: 900)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)
      • svchost.exe (PID: 7664)
      • ks4.021.3.10.391ru_25000.exe (PID: 7580)
      • startup.exe (PID: 7328)
      • startup.exe (PID: 7892)
      • startup.exe (PID: 7844)
      • setup_ui.exe (PID: 7796)

    • Reads the computer name

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)
      • seop.exe (PID: 3020)
      • NSIS Quick Setup Script Generator.exe (PID: 900)
      • svchost.exe (PID: 7664)
      • startup.exe (PID: 7328)
      • startup.exe (PID: 7892)
      • setup_ui.exe (PID: 7796)

    • Checks proxy server information

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)
      • startup.exe (PID: 7892)

    • Creates files or folders in the user directory

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • seop.exe (PID: 3020)
      • svchost.exe (PID: 7664)
      • HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe (PID: 8104)

    • Creates files in the program directory

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)
      • startup.exe (PID: 7892)

    • Reads the machine GUID from the registry

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)
      • svchost.exe (PID: 7664)
      • setup_ui.exe (PID: 7796)
      • startup.exe (PID: 7892)

    • Reads the software policy settings

      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 2140)
      • startup.exe (PID: 7892)

    • Checks for the presence of KasperskyLab

      • startup.exe (PID: 2140)
      • ks4.021.3.10.391ru_25000.exe (PID: 7184)
      • startup.exe (PID: 7892)

    • Process checks whether UAC notifications are on

      • startup.exe (PID: 7892)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6036)
      • notepad.exe (PID: 7808)
      • WMIC.exe (PID: 6392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2021:07:20 12:03:50+00:00
ArchivedFileName: HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
34
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe heur-trojan-ransom.msil.agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe ks4.021.3.10.391ru_25000.exe seop.exe nsis quick setup script generator.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs startup.exe THREAT svchost.exe ks4.021.3.10.391ru_25000.exe no specs startup.exe startup.exe startup.exe no specs setup_ui.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs vssvc.exe no specs wmic.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs bcdedit.exe no specs bcdedit.exe no specs cmd.exe no specs conhost.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672C:\WINDOWS\System32\vds.exeC:\Windows\System32\vds.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vds.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
900"C:\Users\admin\AppData\Roaming\NSIS Quick Setup Script Generator.exe" C:\Users\admin\AppData\Roaming\NSIS Quick Setup Script Generator.exeHEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe
User:
admin
Company:
Red Wine (red_wine@freemail.gr)
Integrity Level:
HIGH
Description:
NSIS Quick Setup Script Generator
Exit code:
2
Version:
1.09.18
Modules
Images
c:\users\admin\appdata\roaming\nsis quick setup script generator.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1012\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2140"C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.3.10.391.0.2521.0\au_setup_120C5CFA-148D-11F0-B4ED-18F7786F96EE\startup.exe" -auto_update_mode="C:\Users\admin\AppData\Roaming\ks4.021.3.10.391ru_25000.exe" /-self_remove -l=ru-RU -xpos=346 -ypos=71 -prevsetupver=21.3.10.391.0.2.0C:\ProgramData\Kaspersky Lab Setup Files\SAAS21.3.10.391.0.2521.0\au_setup_120C5CFA-148D-11F0-B4ED-18F7786F96EE\startup.exe
ks4.021.3.10.391ru_25000.exe
User:
admin
Company:
Лаборатория Касперского
Integrity Level:
HIGH
Description:
Kaspersky Security Cloud [21.3.10.391.0.2521.0 (a.b.c.d.e.f.g.h.i.j.k.l)]
Exit code:
0
Version:
21.3.10.391
Modules
Images
c:\programdata\kaspersky lab setup files\saas21.3.10.391.0.2521.0\au_setup_120c5cfa-148d-11f0-b4ed-18f7786f96ee\startup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\dbghelp.dll
3020"C:\Users\admin\AppData\Roaming\seop.exe" C:\Users\admin\AppData\Roaming\seop.exe
HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
1
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\seop.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5260"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteC:\Windows\System32\cmd.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5408C:\WINDOWS\system32\cmd.exe /c C:\Users\admin\AppData\Roaming\helper.batC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5680taskkill /f /im HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exeC:\Windows\SysWOW64\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
22 073
Read events
21 880
Write events
164
Delete events
29

Modification events

(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.7z
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(7324) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
30
Suspicious files
40
Text files
218
Unknown types
0

Dropped files

PID
Process
Filename
Type
8104HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exeC:\Users\admin\AppData\Roaming\ks4.021.3.10.391ru_25000.exeexecutable
MD5:65B1F62ED862801391998F2452A310DA
SHA256:4A552FA623EFA3975B49E054451F1E5C259FAEB475054D67E0C24559CAA13526
8104HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exeC:\Users\admin\AppData\Local\Temp\nszE7E3.tmp\nsExec.dllexecutable
MD5:4C77A65BB121BB7F2910C1FA3CB38337
SHA256:5E66489393F159AA0FD30B630BB345D03418E9324E7D834B2E4195865A637CFE
8104HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exeC:\Users\admin\AppData\Roaming\seop.exeexecutable
MD5:3AB9A19EA7ED2D9297CD999810745940
SHA256:583063845ACC5C46D05319E97F29660E88EFCF32F81990252FBDDD6420318B5D
7184ks4.021.3.10.391ru_25000.exeC:\Users\admin\AppData\Local\Temp\120C5CF9-148D-11F0-B4ED-18F7786F96EE\kis-script-lte-ie8.jsbinary
MD5:5134186180074C51639D7A514919ED23
SHA256:33E84B33FF911257E3A6A303C08A2CC178827DADB7DFD7C951E096866E02AD5E
8104HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.exeC:\Users\admin\AppData\Local\Temp\nssE245.tmpbinary
MD5:1A17B8493081427780754F9425DD8DBB
SHA256:45B6D9DBDDCA4F71CC52472750D9E4B1A8285547BA984F2EE0E5C092E1CCF617
7184ks4.021.3.10.391ru_25000.exeC:\Users\admin\AppData\Local\Temp\8FC5C021D8410F114BDE817F87F669EE\setup.dllexecutable
MD5:0A6A0E99D0B9CD1CDB8816487986804F
SHA256:747E1E95734829357F2AFC19B9C94B40FA22ECFD0A754708384E7473220038CB
7184ks4.021.3.10.391ru_25000.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:3D42EAAE35D30D3A3433314EED05EDEB
SHA256:6586E20714CFDCBA7B59C2C73A1182CA112620D0460D182FF83DD6C56DE0EAC4
7184ks4.021.3.10.391ru_25000.exeC:\Users\admin\AppData\Local\Temp\120C5CF9-148D-11F0-B4ED-18F7786F96EE\kis-script.jsbinary
MD5:026425CCBF4417EEFA444285707132EF
SHA256:97E5F342227EA23C27C1B660F111847FCDD9D7B23C1D248C733A36F983FD7F04
7184ks4.021.3.10.391ru_25000.exeC:\Users\admin\AppData\Local\Temp\120C5CF9-148D-11F0-B4ED-18F7786F96EE\check_new_version.htmlhtml
MD5:9AF2C477FBA1D977E399E9982ECE8590
SHA256:2FAA7DC6E90B4826C416FC6D462EDA0CD85DAB4E3FD68FC3563D0BBDF53B16DC
7184ks4.021.3.10.391ru_25000.exeC:\Users\admin\AppData\Local\Temp\120C5CF9-148D-11F0-B4ED-18F7786F96EE\kis-loading.gifimage
MD5:69D4B9B309BFA6A87F7620647BAFD2D0
SHA256:F056164CF99799234C90E2318E90AB5D83D0FD855118224286FF0680EE455734
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
33
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7184
ks4.021.3.10.391ru_25000.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
6372
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6372
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7184
ks4.021.3.10.391ru_25000.exe
46.8.206.115:443
dm.s.kaspersky-labs.com
Solucions Valencianes i Noves Tecnologies SL
ES
suspicious

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.216.77.36
  • 23.216.77.37
  • 23.216.77.8
  • 23.216.77.28
  • 23.216.77.34
  • 23.216.77.7
  • 23.216.77.43
  • 23.216.77.10
  • 23.216.77.38
whitelisted
google.com
  • 142.250.185.110
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.65
  • 40.126.32.134
  • 20.190.160.64
  • 20.190.160.132
  • 40.126.32.138
  • 40.126.32.133
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
dm.s.kaspersky-labs.com
  • 46.8.206.115
  • 80.231.123.135
  • 195.122.169.10
unknown
ds.kaspersky.com
  • 82.202.184.193
  • 46.8.206.90
  • 82.202.185.146
  • 62.67.238.151
  • 81.19.104.172
  • 62.67.238.152
  • 82.202.184.184
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HEUR-Trojan-Ransom.MSIL.Agent.gen-0116be16799fbb28fa02b11c04f3c000a37b61189ade629eb9513429905def5b.7z