File name:

tiburontigre@startmail.com.exe

Full analysis: https://app.any.run/tasks/2e9226a8-c07a-46a8-b56a-7ac2e3b21eb2
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 16, 2025, 02:11:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

6E3D30868F97949059561EF9335F536A

SHA1:

31C408FB8FB80F485BB99BD06214F5E8EB6E6F59

SHA256:

884F5E98B2621DA3BD264CD99538AD17C5ED754E529FBF6AE8280DE7A990D2F6

SSDEEP:

6144:DFWz8K5TiqI+1C0+3OiqE0zyw1rHunqAMflb++p:czLc0+5gpnf1++

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for self-deleting

      • tiburontigre@startmail.com.exe (PID: 3752)

    • Changes the autorun value in the registry

      • svcpwk.exe (PID: 4676)
      • svcpwk.exe (PID: 6940)

    • Modifies files in the Chrome extension folder

      • svcpwk.exe (PID: 6940)

    • Deletes shadow copies

      • cmd.exe (PID: 2072)

    • RANSOMWARE has been detected

      • svcpwk.exe (PID: 6940)

  • SUSPICIOUS

    • Starts itself from another location

      • tiburontigre@startmail.com.exe (PID: 3752)

    • Reads security settings of Internet Explorer

      • tiburontigre@startmail.com.exe (PID: 3752)
      • svcpwk.exe (PID: 6940)
      • svcpwk.exe (PID: 4676)

    • Starts CMD.EXE for commands execution

      • tiburontigre@startmail.com.exe (PID: 3752)
      • svcpwk.exe (PID: 6940)

    • Executable content was dropped or overwritten

      • tiburontigre@startmail.com.exe (PID: 3752)

    • Application launched itself

      • svcpwk.exe (PID: 4676)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4708)

    • Creates file in the systems drive root

      • svcpwk.exe (PID: 6940)

  • INFO

    • Reads the computer name

      • tiburontigre@startmail.com.exe (PID: 3752)
      • svcpwk.exe (PID: 4676)
      • svcpwk.exe (PID: 6940)

    • Checks supported languages

      • tiburontigre@startmail.com.exe (PID: 3752)
      • svcpwk.exe (PID: 4676)
      • svcpwk.exe (PID: 6940)

    • Create files in a temporary directory

      • tiburontigre@startmail.com.exe (PID: 3752)
      • svcpwk.exe (PID: 6940)

    • Process checks computer location settings

      • tiburontigre@startmail.com.exe (PID: 3752)
      • svcpwk.exe (PID: 4676)
      • svcpwk.exe (PID: 6940)

    • Launching a file from a Registry key

      • svcpwk.exe (PID: 4676)
      • svcpwk.exe (PID: 6940)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 1212)

    • Creates files or folders in the user directory

      • svcpwk.exe (PID: 6940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (45.2)
.dll | Win32 Dynamic Link Library (generic) (20.9)
.exe | Win32 Executable (generic) (14.3)
.exe | Win16/32 Executable Delphi generic (6.6)
.exe | Generic Win/DOS Executable (6.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 156672
InitializedDataSize: 56832
UninitializedDataSize: -
EntryPoint: 0x257cc
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
21
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start tiburontigre@startmail.com.exe svcpwk.exe cmd.exe no specs conhost.exe no specs ping.exe no specs THREAT svcpwk.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs vssvc.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1156"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"C:\Windows\SysWOW64\cmd.exesvcpwk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1212wmic SHADOWCOPY DELETEC:\Windows\SysWOW64\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749908
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2072"C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"C:\Windows\SysWOW64\cmd.exesvcpwk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147749908
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3028"C:\Windows\System32\cmd.exe" /c "ping 0.0.0.0&del "C:\Users\admin\Desktop\tiburontigre@startmail.com.exe""C:\Windows\SysWOW64\cmd.exetiburontigre@startmail.com.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3148\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3752"C:\Users\admin\Desktop\tiburontigre@startmail.com.exe" C:\Users\admin\Desktop\tiburontigre@startmail.com.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\tiburontigre@startmail.com.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3800"C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"C:\Windows\SysWOW64\cmd.exesvcpwk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3900"C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"C:\Windows\SysWOW64\cmd.exesvcpwk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4576\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4676"C:\Users\admin\appdata\local\temp\svcpwk.exe" C:\Users\admin\AppData\Local\Temp\svcpwk.exe
tiburontigre@startmail.com.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\svcpwk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
2 818
Read events
2 813
Write events
4
Delete events
1

Modification events

(PID) Process:(4676) svcpwk.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:6C051BC3-FE8C5CD9
Value:
"C:\Users\admin\appdata\local\temp\svcpwk.exe" -id "6C051BC3-FE8C5CD9" -wid "222"
(PID) Process:(4676) svcpwk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:1602141
Value:
1602141
(PID) Process:(6940) svcpwk.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:6C051BC3-FE8C5CD9
Value:
"C:\Users\admin\appdata\local\temp\svcpwk.exe" -id "6C051BC3-FE8C5CD9" -wid "222"
(PID) Process:(6940) svcpwk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:1365764
Value:
1365764
(PID) Process:(6940) svcpwk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:1365764
Value:
1365764
Executable files
1
Suspicious files
472
Text files
94
Unknown types
0

Dropped files

PID
Process
Filename
Type
6940svcpwk.exeC:\$WinREAgent\Backup\Winre.wim
MD5:
SHA256:
6940svcpwk.exeC:\$WinREAgent\Backup\Winre.wim[tiburontigre@startmail.com][222].[6C051BC3-FE8C5CD9]
MD5:
SHA256:
6940svcpwk.exeC:\$WinREAgent\Scratch\update.wim
MD5:
SHA256:
6940svcpwk.exeC:\$WinREAgent\Scratch\update.wim[tiburontigre@startmail.com][222].[6C051BC3-FE8C5CD9]
MD5:
SHA256:
6940svcpwk.exeC:\Users\admin\AppData\Local\Temp\c-1750039943.logbinary
MD5:02294431EC211C90F9A1D60658FDBEAF
SHA256:0E837CCE10DDBFB22C0B3F5565B6B5E689CFDC353B27DEEAA92C637AA690B3B2
6940svcpwk.exeC:\$WinREAgent\Rollback\how_to_decrypt.htahtml
MD5:AD8672F0DDFF2A08090DB869023DBA78
SHA256:7799DA66BAEFBC63B27BA27AAC0DE73D13BD74E4089792CEE8B87B540D7B09CB
6940svcpwk.exeC:\$Recycle.Bin\S-1-5-18\how_to_decrypt.htahtml
MD5:AD8672F0DDFF2A08090DB869023DBA78
SHA256:7799DA66BAEFBC63B27BA27AAC0DE73D13BD74E4089792CEE8B87B540D7B09CB
6940svcpwk.exeC:\$WinREAgent\Backup\ReAgent.xmlbinary
MD5:5566B96892148655E4AA352EBCA4A746
SHA256:153E9967FBFBF8EB678456515B65D7A376CBF1315AA5583FE0E8B1E320A07052
6940svcpwk.exeC:\$Recycle.Bin\how_to_decrypt.htahtml
MD5:AD8672F0DDFF2A08090DB869023DBA78
SHA256:7799DA66BAEFBC63B27BA27AAC0DE73D13BD74E4089792CEE8B87B540D7B09CB
6940svcpwk.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\how_to_decrypt.htahtml
MD5:AD8672F0DDFF2A08090DB869023DBA78
SHA256:7799DA66BAEFBC63B27BA27AAC0DE73D13BD74E4089792CEE8B87B540D7B09CB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
382
DNS requests
385
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1336
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1944
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1944
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1268
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
888
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
1336
svchost.exe
40.126.31.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1336
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
login.live.com
  • 40.126.31.3
  • 40.126.31.1
  • 40.126.31.128
  • 20.190.159.130
  • 20.190.159.64
  • 20.190.159.75
  • 40.126.31.2
  • 20.190.159.131
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted
0.100.168.192.in-addr.arpa
unknown
2.100.168.192.in-addr.arpa
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
tiburontigre@startmail.com.exe