File name:

HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.7z

Full analysis: https://app.any.run/tasks/5e7b7438-b021-4122-8860-70a487642d9a
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 17, 2025, 15:30:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
evasion
ransomware
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

F206824908A659ECFA8DCA582740D48A

SHA1:

B0D705B95B676C021C88548FEF46213237D0093A

SHA256:

7B94CFA04906C7F68B5EB2F25F28E147B10CB9042ECA7C6456D18D2B0BE8449B

SSDEEP:

24576:fmZE6u1s76++I5MIqEfBLQaGYL0YVUagbsX/7wYp4CJZ:fmZE6u1s76++I5MIqEfBsaGYL0YVUagq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 5988)

    • Disables task manager

      • HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe (PID: 4620)

    • Create files in the Startup directory

      • HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe (PID: 4620)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 6876)
      • net.exe (PID: 4920)
      • cmd.exe (PID: 5228)
      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 5008)
      • net.exe (PID: 4724)
      • net.exe (PID: 5608)
      • net.exe (PID: 4400)
      • cmd.exe (PID: 1324)
      • cmd.exe (PID: 2148)
      • net.exe (PID: 5332)
      • cmd.exe (PID: 1328)
      • net.exe (PID: 736)
      • net.exe (PID: 5776)
      • net.exe (PID: 728)
      • cmd.exe (PID: 1660)

    • RANSOMWARE has been detected

      • HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe (PID: 4620)

    • Renames files like ransomware

      • HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe (PID: 4620)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe (PID: 4620)

    • Starts CMD.EXE for commands execution

      • HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe (PID: 4620)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 6644)
      • cmd.exe (PID: 5116)

    • Creates file in the systems drive root

      • HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe (PID: 4620)

    • Checks for external IP

      • svchost.exe (PID: 2196)

    • Detected use of alternative data streams (AltDS)

      • HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe (PID: 4620)

    • The process creates files with name similar to system file names

      • HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe (PID: 4620)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5988)

    • Manual execution by a user

      • HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe (PID: 4620)

    • Checks supported languages

      • HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe (PID: 4620)

    • Reads the machine GUID from the registry

      • HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe (PID: 4620)

    • Creates files in the program directory

      • HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe (PID: 4620)

    • Reads the computer name

      • HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe (PID: 4620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2022:06:21 06:23:23+00:00
ArchivedFileName: HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
50
Malicious processes
1
Suspicious processes
8

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe no specs THREAT heur-trojan-ransom.win32.generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
300C:\WINDOWS\system32\net1 stop SQLWriterC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
516C:\WINDOWS\system32\net1 stop SQLSERVERAGENTC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
728net stop SQLBrowserC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
736net stop MSSQL$CONTOSO1C:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeHEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324C:\WINDOWS\system32\cmd.exe /c net stop SQLWriterC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1328C:\WINDOWS\system32\cmd.exe /c net stop MSSQL$CONTOSO1C:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1660C:\WINDOWS\system32\cmd.exe /c net stop MSSQLSERVERC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1812C:\WINDOWS\system32\cmd.exe /c net stop MSSQLSERVERC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
15 696
Read events
15 676
Write events
20
Delete events
0

Modification events

(PID) Process:(5988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.7z
(PID) Process:(5988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(5988) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
5
Suspicious files
825
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4620HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exeC:\$WinREAgent\Backup\Winre.wim
MD5:
SHA256:
4620HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exeC:\$WinREAgent\Backup\Winre.wim.[unlockdata@criptext.com][MJ-OP9826451730].Backup
MD5:
SHA256:
4620HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exeC:\$WinREAgent\Scratch\update.wim
MD5:
SHA256:
4620HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exeC:\$WinREAgent\Scratch\update.wim.[unlockdata@criptext.com][MJ-OP9826451730].Backup
MD5:
SHA256:
4620HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exeC:\ProgramData\prvkey1.txttext
MD5:CDC3F05326CBE38FBB4EA978971989EB
SHA256:EBB3B59F026A3DA0DB283C18D415D108AA63A841F547CEDDB3951C8059AA2716
4620HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exeC:\ProgramData\IDk.txttext
MD5:E8F743B00F15FE68DFB310BD8D6DFABA
SHA256:C9A0E74CA1A31B11962B7FC61B142FD7D44947DD5EE6440AF47FF645E99F7F1F
5988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb5988.16740\HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exeexecutable
MD5:1305DF0E5A017EC3CE66A83BD631428E
SHA256:353086A213C6868D07EF24F82AE4786D2F4A1AF67530E925A7CF53A49EA3964F
4620HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exeC:\bootTel.dat.[unlockdata@criptext.com][MJ-OP9826451730].Backupbinary
MD5:CEB5A06EC6AB4610151C468ADDDAF612
SHA256:AF8D6F6E5F060A734F558A44127DA51CE91546908848576B5A22ABBB81C3845A
4620HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exeexecutable
MD5:1305DF0E5A017EC3CE66A83BD631428E
SHA256:353086A213C6868D07EF24F82AE4786D2F4A1AF67530E925A7CF53A49EA3964F
4620HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1000\desktop.ini.[unlockdata@criptext.com][MJ-OP9826451730].Backupbinary
MD5:A277C0CE66E9965763F69D137083A3FC
SHA256:ED79B5F247CF30A8C3B42FFBBB1A822932D07685CA612B062B1797A7A56C847F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
15
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
756
lsass.exe
GET
200
2.16.252.233:80
http://x1.c.lencr.org/
unknown
whitelisted
756
lsass.exe
GET
200
2.16.206.148:80
http://e6.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTUejiAQejpjQc4fOz2ttjyD6VkMQQUDcXM%2FZvuFAWhTDCCpT5eisNYCdICEga9qG8OP5P3FQB8Nhi78jZFBw%3D%3D
unknown
whitelisted
1228
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1228
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3812
svchost.exe
239.255.255.250:1900
whitelisted
2292
svchost.exe
239.255.255.250:3702
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.173
  • 23.48.23.180
  • 23.48.23.166
  • 23.48.23.141
  • 23.48.23.169
  • 23.48.23.143
  • 23.48.23.193
  • 23.48.23.176
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.128
  • 20.190.160.132
  • 40.126.32.140
  • 40.126.32.76
  • 40.126.32.136
  • 20.190.160.14
  • 20.190.160.130
  • 20.190.160.5
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
api.my-ip.io
  • 23.88.33.229
unknown
x1.c.lencr.org
  • 2.16.252.233
whitelisted
e6.o.lencr.org
  • 2.16.206.148
  • 2.16.206.143
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HEUR-Trojan-Ransom.Win32.Generic-353086a213c6868d07ef24f82ae4786d2f4a1af67530e925a7cf53a49ea3964f.7z