File name:

HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.7z

Full analysis: https://app.any.run/tasks/67b8e666-9f1c-4d5a-accf-d8d81df3301d
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 05, 2025, 14:06:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
arch-exec
ransomware
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

3E21B97DA3704C496200931717697235

SHA1:

9C645CE1301F75DCF569C44F8E3E7B07BF3E1404

SHA256:

78A553B179563B4DEC58881158E2B7F3A6A8D287CF49DC21D32E9D87DE10FF40

SSDEEP:

98304:HosOTiUPRGa2Y7f1H21k4gZ6LC8mcs3KGtokySlUQYhitA8rSnJVae6kKch0/h7i:SVfM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe (PID: 1228)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 1804)
      • net.exe (PID: 904)
      • cmd.exe (PID: 1240)
      • net.exe (PID: 2800)
      • net.exe (PID: 1512)
      • cmd.exe (PID: 5720)
      • cmd.exe (PID: 6388)
      • net.exe (PID: 7152)
      • cmd.exe (PID: 6800)
      • net.exe (PID: 1168)
      • cmd.exe (PID: 6148)
      • net.exe (PID: 6108)
      • net.exe (PID: 5400)
      • cmd.exe (PID: 4988)
      • net.exe (PID: 6184)
      • cmd.exe (PID: 632)

    • Disables task manager

      • HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe (PID: 1228)

    • RANSOMWARE has been detected

      • HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe (PID: 1228)

    • Renames files like ransomware

      • HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe (PID: 1228)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe (PID: 1228)

    • Starts CMD.EXE for commands execution

      • HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe (PID: 1228)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 2908)
      • cmd.exe (PID: 4464)

    • Checks for external IP

      • svchost.exe (PID: 2196)

    • Detected use of alternative data streams (AltDS)

      • HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe (PID: 1228)

    • Creates file in the systems drive root

      • HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe (PID: 1228)

    • The process creates files with name similar to system file names

      • HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe (PID: 1228)

  • INFO

    • Checks supported languages

      • HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe (PID: 1228)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5408)

    • Manual execution by a user

      • HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe (PID: 1228)

    • Reads the machine GUID from the registry

      • HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe (PID: 1228)

    • Creates files in the program directory

      • HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe (PID: 1228)

    • Reads the computer name

      • HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe (PID: 1228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2021:05:17 12:10:28+00:00
ArchivedFileName: HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
176
Monitored processes
48
Malicious processes
1
Suspicious processes
7

Behavior graph

Click at the process to see the details
start winrar.exe THREAT heur-trojan-ransom.win32.generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
632C:\WINDOWS\system32\cmd.exe /c bcdedit /set {default} recoveryenabled noC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
632C:\WINDOWS\system32\cmd.exe /c net stop MSSQL$CONTOSO1C:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
904net stop MSDTCC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1168C:\WINDOWS\system32\net1 stop MSSQLSERVERC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1168net stop SQLWriterC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1228"C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe" C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\heur-trojan-ransom.win32.generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
1240C:\WINDOWS\system32\cmd.exe /c net stop SQLSERVERAGENTC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1512net stop MSSQLSERVERC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1804C:\WINDOWS\system32\cmd.exe /c net stop MSDTCC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
14 901
Read events
14 881
Write events
20
Delete events
0

Modification events

(PID) Process:(5408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.7z
(PID) Process:(5408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(5408) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
4
Suspicious files
783
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1228HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exeC:\$WinREAgent\Backup\Winre.wim
MD5:
SHA256:
1228HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exeC:\$WinREAgent\Backup\Winre.wim.[unlockdata@criptext.com][MJ-WK5016783492].Backup
MD5:
SHA256:
1228HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exeC:\$WinREAgent\Scratch\update.wim
MD5:
SHA256:
1228HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exeC:\$WinREAgent\Scratch\update.wim.[unlockdata@criptext.com][MJ-WK5016783492].Backup
MD5:
SHA256:
5408WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb5408.31777\HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exeexecutable
MD5:3FC6DBD32666E3234BABC1D5A08D8FB6
SHA256:11E5D7EF5BDCB1A257DA2B40318EC6DD16864BC0E69274DD016899CB92C389FD
1228HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exeC:\ProgramData\IDk.txttext
MD5:C22FFC526815D5B65C57A065EA996189
SHA256:D5CA8BD09002A771991F097743DBC0A42B9BB65EE7B9D6540C43822B6EADECC6
1228HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exeC:\$WinREAgent\Backup\boot.sdibinary
MD5:422B86CC2F9574326F13C5C325DA6AA0
SHA256:5A1A931477CC1CB68599ABF6EFB6ACB4A105A35637D7F2C59776A0D4028CB7F9
1228HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exeC:\bootTel.dat.[unlockdata@criptext.com][MJ-WK5016783492].Backupbinary
MD5:ED1D4F0513789330D07755B6E8D98C4E
SHA256:CCA847401BDEBFEBA42B0AC7FD18BCE7FEB6907846618B7975474D3435066DDD
1228HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exeC:\$WinREAgent\Backup\location.txtbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1228HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.[unlockdata@criptext.com][MJ-WK5016783492].Backupbinary
MD5:7FC4BFD2147A2DE3DA8AAC3F46608322
SHA256:289D376D5F64D75C2727AA0AF6BA46AD8179D9F62B05D7ED8AFA988BDF321322
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
16
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
756
lsass.exe
GET
200
184.24.77.77:80
http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgTxg1mqZQ7oZ4ylsbWuAsVy%2Fw%3D%3D
unknown
whitelisted
756
lsass.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
whitelisted
1168
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1168
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.172.255.216:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3812
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.35
whitelisted
google.com
  • 142.250.186.174
whitelisted
client.wns.windows.com
  • 172.172.255.216
whitelisted
login.live.com
  • 20.190.160.132
  • 20.190.160.3
  • 40.126.32.72
  • 20.190.160.130
  • 20.190.160.65
  • 20.190.160.66
  • 40.126.32.76
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
api.my-ip.io
  • 23.88.33.229
unknown
x1.c.lencr.org
  • 69.192.161.44
whitelisted
e5.o.lencr.org
  • 184.24.77.77
  • 184.24.77.80
  • 184.24.77.45
  • 184.24.77.47
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HEUR-Trojan-Ransom.Win32.Generic-11e5d7ef5bdcb1a257da2b40318ec6dd16864bc0e69274dd016899cb92c389fd.7z