File name:

7f1e079a025d0e3818bc09763c2dc73230b7f9b24d407d6c9de820a72fe7dea4

Full analysis: https://app.any.run/tasks/aa1b07f5-2a66-4ed1-a40a-5bedb29df954
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 10, 2025, 21:01:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
ransomware
smert
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

FCE083EBF1AB58702558EE5444BD96E4

SHA1:

0C05DE050724D7B043748F418F9B990765EEDBB6

SHA256:

7F1E079A025D0E3818BC09763C2DC73230B7F9B24D407D6C9DE820A72FE7DEA4

SSDEEP:

98304:MUmvKEXigf2lZk35i/0ZsJne95by1MswoI2iog3jwy7MCgkhnX43nRw5W8vwpaVg:BUP4bjGr/Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7628)

    • Deletes shadow copies

      • cmd.exe (PID: 7972)
      • cmd.exe (PID: 920)
      • cmd.exe (PID: 2616)
      • 5.exe (PID: 3896)

    • Renames files like ransomware

      • 3.exe (PID: 7876)
      • 5.exe (PID: 3896)

    • SMERT has been detected

      • 4.exe (PID: 7768)

    • RANSOMWARE has been detected

      • 4.exe (PID: 7768)
      • 5.exe (PID: 3896)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 8100)

    • Starts CMD.EXE for commands execution

      • 3.exe (PID: 7876)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 5588)
      • 4.exe (PID: 6964)
      • 4.exe (PID: 7768)
      • 1.exe (PID: 9048)

    • Reads the date of Windows installation

      • 4.exe (PID: 6964)

    • Application launched itself

      • 4.exe (PID: 6964)

    • Creates file in the systems drive root

      • 4.exe (PID: 7768)
      • 5.exe (PID: 3896)

    • Uses pipe srvsvc via SMB (transferring data)

      • 3.exe (PID: 7876)

    • Uses TASKKILL.EXE to kill process

      • 5.exe (PID: 3896)

    • The process creates files with name similar to system file names

      • 4.exe (PID: 7768)

    • Uses TASKKILL.EXE to kill Browsers

      • 5.exe (PID: 3896)

    • Uses TASKKILL.EXE to kill Office Apps

      • 5.exe (PID: 3896)

  • INFO

    • Manual execution by a user

      • 3.exe (PID: 7876)
      • 3.exe (PID: 7828)
      • WinRAR.exe (PID: 6572)
      • 2.exe (PID: 6728)
      • WinRAR.exe (PID: 7336)
      • 4.exe (PID: 6964)
      • 5.exe (PID: 3896)
      • notepad.exe (PID: 4728)
      • rundll32.exe (PID: 6660)
      • OpenWith.exe (PID: 4300)
      • OpenWith.exe (PID: 7536)
      • OpenWith.exe (PID: 7504)
      • rundll32.exe (PID: 4408)
      • OpenWith.exe (PID: 7524)
      • rundll32.exe (PID: 872)
      • rundll32.exe (PID: 4652)
      • WinRAR.exe (PID: 6208)
      • OpenWith.exe (PID: 6264)
      • OpenWith.exe (PID: 4976)
      • notepad.exe (PID: 6036)
      • OpenWith.exe (PID: 5868)
      • OpenWith.exe (PID: 660)
      • OpenWith.exe (PID: 8936)
      • WinRAR.exe (PID: 8840)
      • OpenWith.exe (PID: 9112)
      • OpenWith.exe (PID: 9020)
      • 1.exe (PID: 9048)
      • WinRAR.exe (PID: 8800)
      • OpenWith.exe (PID: 8816)
      • OpenWith.exe (PID: 9124)
      • OpenWith.exe (PID: 2088)
      • OpenWith.exe (PID: 8856)
      • OpenWith.exe (PID: 668)
      • OpenWith.exe (PID: 2268)
      • OpenWith.exe (PID: 8736)
      • OpenWith.exe (PID: 632)
      • OpenWith.exe (PID: 9200)
      • OpenWith.exe (PID: 9040)
      • OpenWith.exe (PID: 2320)
      • OpenWith.exe (PID: 8744)
      • OpenWith.exe (PID: 3028)
      • OpenWith.exe (PID: 6516)
      • OpenWith.exe (PID: 8960)
      • OpenWith.exe (PID: 9184)

    • Reads the machine GUID from the registry

      • 3.exe (PID: 7876)
      • 4.exe (PID: 7768)
      • 1.exe (PID: 9048)

    • Checks supported languages

      • 3.exe (PID: 7876)
      • ShellExperienceHost.exe (PID: 5588)
      • 4.exe (PID: 6964)
      • 2.exe (PID: 6728)
      • 4.exe (PID: 7768)
      • 5.exe (PID: 3896)
      • 1.exe (PID: 9048)

    • Reads the computer name

      • 3.exe (PID: 7876)
      • ShellExperienceHost.exe (PID: 5588)
      • 2.exe (PID: 6728)
      • 4.exe (PID: 6964)
      • 4.exe (PID: 7768)
      • 1.exe (PID: 9048)
      • 5.exe (PID: 3896)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 8024)
      • WMIC.exe (PID: 1180)
      • WMIC.exe (PID: 7748)
      • notepad.exe (PID: 6036)

    • Process checks computer location settings

      • 4.exe (PID: 6964)

    • Reads the software policy settings

      • 4.exe (PID: 7768)
      • slui.exe (PID: 6760)

    • Checks proxy server information

      • 4.exe (PID: 7768)
      • slui.exe (PID: 6760)
      • 1.exe (PID: 9048)

    • Creates files in the program directory

      • 4.exe (PID: 7768)
      • 5.exe (PID: 3896)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • 5.exe (PID: 3896)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 4300)
      • OpenWith.exe (PID: 7536)
      • OpenWith.exe (PID: 7524)
      • OpenWith.exe (PID: 7504)
      • OpenWith.exe (PID: 6264)
      • OpenWith.exe (PID: 4976)
      • OpenWith.exe (PID: 5868)
      • OpenWith.exe (PID: 660)
      • OpenWith.exe (PID: 8936)
      • OpenWith.exe (PID: 9112)
      • OpenWith.exe (PID: 8816)
      • OpenWith.exe (PID: 2088)
      • OpenWith.exe (PID: 9124)
      • OpenWith.exe (PID: 3028)
      • OpenWith.exe (PID: 2320)
      • OpenWith.exe (PID: 632)
      • OpenWith.exe (PID: 8736)
      • OpenWith.exe (PID: 668)
      • OpenWith.exe (PID: 8856)
      • OpenWith.exe (PID: 2268)
      • OpenWith.exe (PID: 9200)
      • OpenWith.exe (PID: 8744)
      • OpenWith.exe (PID: 9040)
      • OpenWith.exe (PID: 6516)
      • OpenWith.exe (PID: 8960)
      • OpenWith.exe (PID: 9020)
      • OpenWith.exe (PID: 9184)

    • Creates files or folders in the user directory

      • 5.exe (PID: 3896)

    • Disables trace logs

      • 1.exe (PID: 9048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:03:06 15:31:56
ZipCRC: 0xc73b8861
ZipCompressedSize: 3763413
ZipUncompressedSize: 3763413
ZipFileName: 1.zip
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
276
Monitored processes
146
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs 3.exe no specs 3.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs vssvc.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs winrar.exe no specs shellexperiencehost.exe no specs 2.exe no specs winrar.exe no specs 4.exe no specs conhost.exe no specs THREAT 4.exe conhost.exe no specs THREAT 5.exe no specs conhost.exe no specs notepad.exe no specs rundll32.exe no specs taskkill.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs taskkill.exe no specs rundll32.exe no specs taskkill.exe no specs openwith.exe no specs rundll32.exe no specs taskkill.exe no specs winrar.exe no specs taskkill.exe no specs openwith.exe no specs rundll32.exe no specs taskkill.exe no specs openwith.exe no specs taskkill.exe no specs notepad.exe no specs taskkill.exe no specs openwith.exe no specs openwith.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs winrar.exe no specs taskkill.exe no specs taskkill.exe no specs openwith.exe no specs openwith.exe no specs taskkill.exe no specs openwith.exe no specs taskkill.exe no specs openwith.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs winrar.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs vssadmin.exe no specs 1.exe no specs slui.exe openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Downloads\etcclinical.png.DAFAIJHEAE.smert.lockC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
660cmd /c vssadmin Delete Shadows /All /QuietC:\Windows\SysWOW64\cmd.exe3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
660"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Downloads\postedhuge.png.DAFAIJHEAE.smertC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
668"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Downloads\jobpool.png.DAFAIJHEAE.smert.lockC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
672taskkill /f /im oracle.exeC:\Windows\System32\taskkill.exe5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
780taskkill /f /im viber.exeC:\Windows\System32\taskkill.exe5.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
872"C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Downloads\postedhuge.pngC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
920cmd /c wmic SHADOWCOPY DELETE /nointeractiveC:\Windows\SysWOW64\cmd.exe3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147749908
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1180wmic SHADOWCOPY DELETE /nointeractiveC:\Windows\SysWOW64\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749908
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
79 659
Read events
79 585
Write events
74
Delete events
0

Modification events

(PID) Process:(7628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\7f1e079a025d0e3818bc09763c2dc73230b7f9b24d407d6c9de820a72fe7dea4.zip
(PID) Process:(7628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7628) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6572) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6572) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
Executable files
11
Suspicious files
3 271
Text files
346
Unknown types
0

Dropped files

PID
Process
Filename
Type
78763.exe\\?\Volume{2f5c5e71-85a9-11eb-90a8-9a9b76358421}\NvVarsbinary
MD5:02C73ADBEBC772CF227B548FFD92D560
SHA256:F38F6F68F002BFC93B13E88A260A03CBCAEC8644B88F202D8DFEA6898165D40C
78763.exe\\?\Volume{eaf65672-68c3-4f99-8d5c-104b5f4d8fff}\$WINRE_BACKUP_PARTITION.MARKERbinary
MD5:27322C564E14D0BA4F8538A03C5E419D
SHA256:FB940C6A5850712C47AE2BE9F9285E50FB294A49849556960409CE156D8D3514
78763.exeC:\Users\admin\Desktop\7f1e079a025d0e3818bc09763c2dc73230b7f9b24d407d6c9de820a72fe7dea4
MD5:
SHA256:
78763.exeC:\Users\admin\Desktop\7f1e079a025d0e3818bc09763c2dc73230b7f9b24d407d6c9de820a72fe7dea4.DAFAIJHEAE
MD5:
SHA256:
78763.exeC:\Users\admin\Desktop\7f1e079a025d0e3818bc09763c2dc73230b7f9b24d407d6c9de820a72fe7dea4.zip
MD5:
SHA256:
78763.exeC:\Users\admin\Desktop\7f1e079a025d0e3818bc09763c2dc73230b7f9b24d407d6c9de820a72fe7dea4.zip.DAFAIJHEAE
MD5:
SHA256:
78763.exeC:\$WinREAgent\Backup\location.txt.DAFAIJHEAEbinary
MD5:511919EB958C9C66722BB9C8D9868223
SHA256:F2FBC2A3B74510E84B58AAF88F0D2D6608B9338263207C3C8C115946838BEA7B
78763.exeC:\$WinREAgent\Backup\location.txtbinary
MD5:511919EB958C9C66722BB9C8D9868223
SHA256:F2FBC2A3B74510E84B58AAF88F0D2D6608B9338263207C3C8C115946838BEA7B
78763.exeC:\$WinREAgent\HOW_TO_RECOVER_FILES.txttext
MD5:BC930A8D876BAD1C09B20DDE7DC4FCF8
SHA256:794D8693B98388540D1E61A8EAC2B5E023A6BDCF7D9F913FC7A56695CBECF648
78763.exeC:\$WinREAgent\Rollback.xml.DAFAIJHEAEbinary
MD5:683B24B77B2D4F3B88C126B8D3AEA5FD
SHA256:EADB2340CDC6E69348E094FCDDB4B2DE16242BC4DFB0EEE2CC24ACC80DA8571C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
57
DNS requests
16
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4844
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4844
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4844
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
4844
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/sls/ping
unknown
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
4996
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4996
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4996
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.1:445
unknown
4
System
192.168.100.1:139
unknown
4844
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4844
SIHClient.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.110
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
tdsoperational.pythonanywhere.com
  • 35.173.69.207
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed HTTP Request to *.pythonanywhere .com Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7f1e079a025d0e3818bc09763c2dc73230b7f9b24d407d6c9de820a72fe7dea4