File name:

CD346241015615F9DFA7BE9BC278712D.exe

Full analysis: https://app.any.run/tasks/b09d22ad-8eee-44a9-9c75-97f95d092a7c
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: March 02, 2025, 13:58:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ransomware
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 3 sections
MD5:

BD7FF7DB9203F9337FCA9BBCAC5186AE

SHA1:

9067AB40DFBAA4DB59F4126B17469B4111871FD9

SHA256:

86577DCDB29B4B1B63B72EB120208404478FD7C3B9099BDA9A3C0DCE0710FFEA

SSDEEP:

12288:gFhleHA0v0H+6Y34psDJba3BxY/l9D4zLo0Tz0nZfyCtvd5ifH1XWG3DrZS:IhlWAF+6Y34psDNaR+/l9D4z80Tz0nxP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)

    • Deletes shadow copies

      • cmd.exe (PID: 6068)

    • RANSOMWARE has been detected

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)

    • Renames files like ransomware

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 3676)
      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)

    • Reads security settings of Internet Explorer

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 3676)
      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)

    • Application launched itself

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 3676)

    • Executable content was dropped or overwritten

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)

    • Starts CMD.EXE for commands execution

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)

    • Creates file in the systems drive root

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7340)

    • Suspicious files were dropped or overwritten

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)

  • INFO

    • Reads the computer name

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 3676)
      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)

    • Process checks computer location settings

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 3676)
      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)

    • Checks supported languages

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 3676)
      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)

    • Creates files or folders in the user directory

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)

    • Creates files in the program directory

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)

    • Manual execution by a user

      • cmd.exe (PID: 7248)

    • UPX packer has been detected

      • CD346241015615F9DFA7BE9BC278712D.exe (PID: 5956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (47)
.exe | UPX compressed Win32 Executable (46.1)
.exe | Generic Win/DOS Executable (3.4)
.exe | DOS Executable Generic (3.4)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:01:18 21:18:45+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 393216
InitializedDataSize: 4096
UninitializedDataSize: 679936
EntryPoint: 0x1069b0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
17
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cd346241015615f9dfa7be9bc278712d.exe no specs THREAT cd346241015615f9dfa7be9bc278712d.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs vssvc.exe no specs sppextcomobj.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3676"C:\Users\admin\CD346241015615F9DFA7BE9BC278712D.exe" C:\Users\admin\CD346241015615F9DFA7BE9BC278712D.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\cd346241015615f9dfa7be9bc278712d.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4380\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4756\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5956"C:\Users\admin\CD346241015615F9DFA7BE9BC278712D.exe" C:\Users\admin\CD346241015615F9DFA7BE9BC278712D.exe
CD346241015615F9DFA7BE9BC278712D.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\cd346241015615f9dfa7be9bc278712d.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6004"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\cmd.exeCD346241015615F9DFA7BE9BC278712D.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
6068"C:\Windows\System32\cmd.exe" /c vssadmin Delete Shadows /All /QuietC:\Windows\System32\cmd.exeCD346241015615F9DFA7BE9BC278712D.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
6712"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled NoC:\Windows\System32\cmd.exeCD346241015615F9DFA7BE9BC278712D.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
7180C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
7200"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY /nointeractiveC:\Windows\System32\cmd.exeCD346241015615F9DFA7BE9BC278712D.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
1 842
Read events
1 839
Write events
3
Delete events
0

Modification events

(PID) Process:(5956) CD346241015615F9DFA7BE9BC278712D.exeKey:HKEY_CURRENT_USER\SOFTWARE\Proton
Operation:writeName:public
Value:
327D82B527DFE92014465CE6288655AD1CBB31DCF58D48975110A5344C47D562
(PID) Process:(5956) CD346241015615F9DFA7BE9BC278712D.exeKey:HKEY_CURRENT_USER\SOFTWARE\Proton
Operation:writeName:full
Value:
F0623DF6FCF29351C0E2610F56544AFAC7CFAF310B46ADDCEED9D4C23A4505E647702F6B1BC23049521D251861D08193CC6258E5CE482D0A52EDF0326EFA42F5472B821A174263CAE6717BF690B0524C29F4A65B2CAFE9C0C23AE629D209104635DBC3A607400C2BB61368B06320B0611BB9124FB7CF7124
(PID) Process:(5956) CD346241015615F9DFA7BE9BC278712D.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
18
Suspicious files
4 424
Text files
716
Unknown types
0

Dropped files

PID
Process
Filename
Type
5956CD346241015615F9DFA7BE9BC278712D.exeC:\#Read-for-recovery.txt
MD5:
SHA256:
5956CD346241015615F9DFA7BE9BC278712D.exeC:\$WinREAgent\#Read-for-recovery.txt
MD5:
SHA256:
5956CD346241015615F9DFA7BE9BC278712D.exeC:\$WinREAgent\Backup\#Read-for-recovery.txt
MD5:
SHA256:
5956CD346241015615F9DFA7BE9BC278712D.exeC:\$WinREAgent\Rollback\#Read-for-recovery.txt
MD5:
SHA256:
5956CD346241015615F9DFA7BE9BC278712D.exeC:\$WinREAgent\Scratch\#Read-for-recovery.txt
MD5:
SHA256:
5956CD346241015615F9DFA7BE9BC278712D.exeC:\$WinREAgent\Scratch\WimTempPath\#Read-for-recovery.txt
MD5:
SHA256:
5956CD346241015615F9DFA7BE9BC278712D.exeC:\$WinREAgent\Rollback.xml
MD5:
SHA256:
5956CD346241015615F9DFA7BE9BC278712D.exeC:\$WinREAgent\Backup\location.txt.[Emilygoodgirl09@gmail.com].goodgir
MD5:
SHA256:
5956CD346241015615F9DFA7BE9BC278712D.exeC:\$WinREAgent\rollbackinfo.ini.[Emilygoodgirl09@gmail.com].goodgir
MD5:
SHA256:
5956CD346241015615F9DFA7BE9BC278712D.exeC:\BOOTNXT
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
37
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2924
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
5436
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5436
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.19.122.36:443
www.bing.com
Akamai International B.V.
DE
whitelisted
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
6544
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7636
backgroundTaskHost.exe
20.31.169.57:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.bing.com
  • 2.19.122.36
  • 2.19.122.34
  • 2.19.122.38
  • 2.19.122.27
  • 2.19.122.28
  • 2.19.122.40
  • 2.19.122.25
  • 2.19.122.26
  • 2.19.122.29
whitelisted
login.live.com
  • 20.190.159.4
  • 40.126.31.131
  • 40.126.31.73
  • 40.126.31.2
  • 40.126.31.3
  • 20.190.159.129
  • 20.190.159.23
  • 20.190.159.73
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
th.bing.com
  • 2.19.96.83
  • 2.19.96.120
  • 2.19.96.90
whitelisted
browser.pipe.aria.microsoft.com
  • 52.168.117.174
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CD346241015615F9DFA7BE9BC278712D.exe