File name:

HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.7z

Full analysis: https://app.any.run/tasks/2cf60377-d59b-467b-95f1-2042fec72c65
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 17, 2025, 15:24:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
evasion
ransomware
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

2E7862AB82B951207A17125ABBFF3C3B

SHA1:

8DC400C2DDC03084330B37792013E74A428E5437

SHA256:

C2089014842EC04CFF7942788CCDB517E7D552AA0612756F1EE71B095A28E508

SSDEEP:

24576:epuyIFq/Qet7rTJMBO/ZyKb7H8ZMBV6xvwrY/L:epuyIFq/Qet7rTJMBO/ZyK3HkaV6GrYj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 4244)

    • Create files in the Startup directory

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 4464)
      • net.exe (PID: 6760)
      • net.exe (PID: 4268)
      • cmd.exe (PID: 4120)
      • net.exe (PID: 3008)
      • cmd.exe (PID: 2088)
      • net.exe (PID: 2040)
      • net.exe (PID: 1272)
      • cmd.exe (PID: 4224)
      • cmd.exe (PID: 6744)
      • cmd.exe (PID: 736)
      • net.exe (PID: 4620)
      • cmd.exe (PID: 5512)
      • net.exe (PID: 2240)
      • cmd.exe (PID: 5756)
      • net.exe (PID: 7036)

    • RANSOMWARE has been detected

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Renames files like ransomware

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Executable content was dropped or overwritten

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 672)
      • cmd.exe (PID: 644)

    • Detected use of alternative data streams (AltDS)

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • The process creates files with name similar to system file names

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Checks for external IP

      • svchost.exe (PID: 2196)

    • Creates file in the systems drive root

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4244)

    • Checks supported languages

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Manual execution by a user

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Creates files in the program directory

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Reads the computer name

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Checks proxy server information

      • slui.exe (PID: 2772)

    • Reads the machine GUID from the registry

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Reads the software policy settings

      • slui.exe (PID: 2772)
      • slui.exe (PID: 4428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2021:06:13 12:26:38+00:00
ArchivedFileName: HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
181
Monitored processes
51
Malicious processes
1
Suspicious processes
7

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe THREAT heur-trojan-ransom.win32.generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
644C:\WINDOWS\system32\cmd.exe /c netsh advfirewall set currentprofile state offC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
664C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
672C:\WINDOWS\system32\cmd.exe /c netsh firewall set opmode mode=disableC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
736C:\WINDOWS\system32\cmd.exe /c net stop vdsC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1168C:\WINDOWS\system32\cmd.exe /c bcdedit /set {default} recoveryenabled noC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1272net stop MSSQL$CONTOSO1C:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2040net stop MSSQLSERVERC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
92 145
Read events
92 126
Write events
19
Delete events
0

Modification events

(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.7z
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
8
Suspicious files
6 224
Text files
7
Unknown types
23

Dropped files

PID
Process
Filename
Type
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\BOOTNXT.[badlamadec@gmail.com][MJ-LX5927430186].Lamatext
MD5:D6F999F730BBE68814873C9D77A9623C
SHA256:86AFDA95DDFDB382132E678D9576A1D9DF67A33894A274DEE06FFF1D37EFE815
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\ProgramData\IDk.txttext
MD5:60330DD8A6781E76C4527A26A3C12C85
SHA256:1BC367B7D585BA78533F7DA7DFA370A8330FB05671C2071B4C3BF9F65F4B7456
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\$WinREAgent\Backup\Winre.wim
MD5:
SHA256:
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\$WinREAgent\Backup\Winre.wim.[badlamadec@gmail.com][MJ-LX5927430186].Lama
MD5:
SHA256:
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.[badlamadec@gmail.com][MJ-LX5927430186].Lamabinary
MD5:9568C7F5E90DADF04E3B31F2C2AD3881
SHA256:D4E3B7E458AE03BAE020E5D39F89256B04C328F0ACF6685969C50DB221884701
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeexecutable
MD5:91332F289D3E577B57D878B55C5CF18A
SHA256:9B688CFE929721289BA505BF6B16D691984B2EA75AE0B00E72D21A61748F7E69
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\$WinREAgent\Scratch\update.wim
MD5:
SHA256:
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\$WinREAgent\Scratch\update.wim.[badlamadec@gmail.com][MJ-LX5927430186].Lama
MD5:
SHA256:
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\$Recycle.Bin\S-1-5-18\desktop.ini.[badlamadec@gmail.com][MJ-LX5927430186].Lamabinary
MD5:3B4C80CB5F6A5A0149AEC1C7C91A9E12
SHA256:50F8C989A0FB67F95048F897ABDBF791BA4906BB83D02EF3C442E8705A3CD28C
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\$WinREAgent\Backup\location.txt.[badlamadec@gmail.com][MJ-LX5927430186].Lamabinary
MD5:1030F2D62FC329BDE6214BDAD4AE80D5
SHA256:3ECF56B2606E4AB44C33F130F827DCA7397BB12966508DE95A7AA03F3DA7FB1C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
29
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
756
lsass.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5528
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5528
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
756
lsass.exe
GET
200
2.16.202.121:80
http://e6.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTUejiAQejpjQc4fOz2ttjyD6VkMQQUDcXM%2FZvuFAWhTDCCpT5eisNYCdICEga9qG8OP5P3FQB8Nhi78jZFBw%3D%3D
unknown
whitelisted
3112
OfficeClickToRun.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5528
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5528
SIHClient.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.64
  • 40.126.32.134
  • 20.190.160.4
  • 20.190.160.132
  • 20.190.160.130
  • 20.190.160.67
  • 40.126.32.133
  • 40.126.32.138
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
api.my-ip.io
  • 23.88.33.229
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.7z