File name:

HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.7z

Full analysis: https://app.any.run/tasks/2cf60377-d59b-467b-95f1-2042fec72c65
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 17, 2025, 15:24:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
evasion
ransomware
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

2E7862AB82B951207A17125ABBFF3C3B

SHA1:

8DC400C2DDC03084330B37792013E74A428E5437

SHA256:

C2089014842EC04CFF7942788CCDB517E7D552AA0612756F1EE71B095A28E508

SSDEEP:

24576:epuyIFq/Qet7rTJMBO/ZyKb7H8ZMBV6xvwrY/L:epuyIFq/Qet7rTJMBO/ZyK3HkaV6GrYj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 4244)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 4464)
      • net.exe (PID: 4268)
      • cmd.exe (PID: 6744)
      • net.exe (PID: 6760)
      • cmd.exe (PID: 4120)
      • net.exe (PID: 3008)
      • cmd.exe (PID: 736)
      • net.exe (PID: 4620)
      • cmd.exe (PID: 5512)
      • cmd.exe (PID: 5756)
      • net.exe (PID: 2240)
      • net.exe (PID: 7036)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 4224)
      • net.exe (PID: 2040)
      • net.exe (PID: 1272)

    • Create files in the Startup directory

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • RANSOMWARE has been detected

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Renames files like ransomware

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Starts CMD.EXE for commands execution

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 644)
      • cmd.exe (PID: 672)

    • Creates file in the systems drive root

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Checks for external IP

      • svchost.exe (PID: 2196)

    • Detected use of alternative data streams (AltDS)

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • The process creates files with name similar to system file names

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4244)

    • Checks supported languages

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Manual execution by a user

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Creates files in the program directory

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Reads the computer name

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Reads the machine GUID from the registry

      • HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe (PID: 5360)

    • Reads the software policy settings

      • slui.exe (PID: 4428)
      • slui.exe (PID: 2772)

    • Checks proxy server information

      • slui.exe (PID: 2772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2021:06:13 12:26:38+00:00
ArchivedFileName: HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
181
Monitored processes
51
Malicious processes
1
Suspicious processes
7

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe THREAT heur-trojan-ransom.win32.generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
644C:\WINDOWS\system32\cmd.exe /c netsh advfirewall set currentprofile state offC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
664C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
672C:\WINDOWS\system32\cmd.exe /c netsh firewall set opmode mode=disableC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
736C:\WINDOWS\system32\cmd.exe /c net stop vdsC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1168C:\WINDOWS\system32\cmd.exe /c bcdedit /set {default} recoveryenabled noC:\Windows\SysWOW64\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1272net stop MSSQL$CONTOSO1C:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2040net stop MSSQLSERVERC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
92 145
Read events
92 126
Write events
19
Delete events
0

Modification events

(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.7z
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(4244) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
8
Suspicious files
6 224
Text files
7
Unknown types
23

Dropped files

PID
Process
Filename
Type
4244WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4244.32093\HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeexecutable
MD5:91332F289D3E577B57D878B55C5CF18A
SHA256:9B688CFE929721289BA505BF6B16D691984B2EA75AE0B00E72D21A61748F7E69
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\ProgramData\prvkey1.txt.keybinary
MD5:A7FDFD5F15E12302AA8354B37BE9374F
SHA256:80A87683893B90E90F51F72CB572BDBCC8AB150722C59011318FE1D55B6C06AF
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\$WinREAgent\Backup\Winre.wim
MD5:
SHA256:
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\$WinREAgent\Backup\Winre.wim.[badlamadec@gmail.com][MJ-LX5927430186].Lama
MD5:
SHA256:
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-500\desktop.ini.[badlamadec@gmail.com][MJ-LX5927430186].Lamabinary
MD5:1D032631C0C4C9BB6FCF1387FC6E976F
SHA256:74B38A697F31EA932A71F461C079AD7A472A1458AD7E9A941BC2E689CE518290
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1000\desktop.ini.[badlamadec@gmail.com][MJ-LX5927430186].Lamabinary
MD5:0D2F4B511E569BE378115DE6315676D0
SHA256:C5E44CCF6BB497DFA4631186106A24C644D18008C44FFC2B95B9E9860D7A94AB
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\$WinREAgent\Scratch\update.wim
MD5:
SHA256:
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\$WinREAgent\Scratch\update.wim.[badlamadec@gmail.com][MJ-LX5927430186].Lama
MD5:
SHA256:
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\ProgramData\IDk.txttext
MD5:60330DD8A6781E76C4527A26A3C12C85
SHA256:1BC367B7D585BA78533F7DA7DFA370A8330FB05671C2071B4C3BF9F65F4B7456
5360HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.exeC:\$WinREAgent\Rollback.xml.[badlamadec@gmail.com][MJ-LX5927430186].Lamabinary
MD5:8AD10461010805D171074C1B7FB572AD
SHA256:DCA089C66FA8679C6A0AE95C7C49E6D08F2915AC5BD5E9D0AC2AE1FF069CE29C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
29
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5528
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5528
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
756
lsass.exe
GET
200
2.16.202.121:80
http://e6.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTUejiAQejpjQc4fOz2ttjyD6VkMQQUDcXM%2FZvuFAWhTDCCpT5eisNYCdICEga9qG8OP5P3FQB8Nhi78jZFBw%3D%3D
unknown
whitelisted
756
lsass.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
3112
OfficeClickToRun.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5528
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5528
SIHClient.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.64
  • 40.126.32.134
  • 20.190.160.4
  • 20.190.160.132
  • 20.190.160.130
  • 20.190.160.67
  • 40.126.32.133
  • 40.126.32.138
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
api.my-ip.io
  • 23.88.33.229
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HEUR-Trojan-Ransom.Win32.Generic-9b688cfe929721289ba505bf6b16d691984b2ea75ae0b00e72d21a61748f7e69.7z