File name:

HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.7z

Full analysis: https://app.any.run/tasks/2d99d2d0-d021-4a26-a883-f62940725b33
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 10, 2025, 11:46:09
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
ransomware
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

7641C9AFD8AD914E26FE344DAFA5823C

SHA1:

A4D0B9A0A2177235CD478A966C009173C092522E

SHA256:

C26ADA3469839FCBE73C9CF61B8FCB7F4BEC373C080CE90C046D4C811B356F23

SSDEEP:

1536:cibxRhzpVT2Rbg5Yv/mKsoGXG0ErDDubJgdu2GfWdelRSs:HfNVaR8Kv/mK70M2FgduBfWuz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 4228)

    • Deletes shadow copies

      • cmd.exe (PID: 8184)
      • cmd.exe (PID: 4008)
      • cmd.exe (PID: 4272)
      • cmd.exe (PID: 1532)
      • cmd.exe (PID: 7328)
      • cmd.exe (PID: 7512)
      • cmd.exe (PID: 7616)
      • cmd.exe (PID: 1128)
      • cmd.exe (PID: 2908)
      • cmd.exe (PID: 8076)

    • RANSOMWARE has been detected

      • HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe (PID: 7868)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 7988)

    • Starts CMD.EXE for commands execution

      • HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe (PID: 7868)

    • Creates file in the systems drive root

      • HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe (PID: 7868)

    • Write to the desktop.ini file (may be used to cloak folders)

      • HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe (PID: 7868)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4228)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5680)
      • WMIC.exe (PID: 4920)
      • WMIC.exe (PID: 5588)
      • WMIC.exe (PID: 6744)
      • WMIC.exe (PID: 300)
      • WMIC.exe (PID: 7584)
      • WMIC.exe (PID: 7620)
      • WMIC.exe (PID: 7576)
      • WMIC.exe (PID: 5400)
      • notepad.exe (PID: 7708)
      • WMIC.exe (PID: 8128)

    • Checks supported languages

      • HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe (PID: 7868)

    • Creates files in the program directory

      • HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe (PID: 7868)

    • Manual execution by a user

      • notepad.exe (PID: 7708)
      • HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe (PID: 7868)

    • Reads the machine GUID from the registry

      • HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe (PID: 7868)

    • Reads the computer name

      • HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe (PID: 7868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2021:06:17 12:05:52+00:00
ArchivedFileName: HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
37
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe no specs THREAT heur-trojan-ransom.win32.generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe vssvc.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs rundll32.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F6D2D66A-FD0A-44D0-AB72-0E2CFE7522D0}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1128cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3B13807A-ED43-401E-8984-A844D56BF40C}'" deleteC:\Windows\System32\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1532cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{653C6062-F0A5-4B71-B163-69072B443C22}'" deleteC:\Windows\System32\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2908cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F886259D-FBB1-4A06-AC7A-6D1C49D02598}'" deleteC:\Windows\System32\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3332\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4008cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C965111A-D103-4E3C-88F1-8DE7944D8699}'" deleteC:\Windows\System32\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4228"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4272cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7BB6E10A-328D-4E9E-BEE2-902899F226FF}'" deleteC:\Windows\System32\cmd.exeHEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4920C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{653C6062-F0A5-4B71-B163-69072B443C22}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
Total events
3 759
Read events
3 740
Write events
19
Delete events
0

Modification events

(PID) Process:(4228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.7z
(PID) Process:(4228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(4228) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
1
Suspicious files
506
Text files
87
Unknown types
0

Dropped files

PID
Process
Filename
Type
7868HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exeC:\BOOTNXTbinary
MD5:1F2A5A0FC650353C8F00686D3684E831
SHA256:2CF56DA330A54727910B3BC4DC6A68DC28F50957F529AE0F3234C6C811A0AC25
4228WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb4228.38874\HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exeexecutable
MD5:5579BAB97431B3168B0F8C4BF83505FC
SHA256:556A0D488E067FE1EBE6D640E90B7CE12309BA68F8281464DEEC37908B4E8F5B
7868HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exeC:\BOOTNXT.AHIODbinary
MD5:1F2A5A0FC650353C8F00686D3684E831
SHA256:2CF56DA330A54727910B3BC4DC6A68DC28F50957F529AE0F3234C6C811A0AC25
7868HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exeC:\$WinREAgent\Rollback.xml.AHIODbinary
MD5:28CBE3A3E83FEA5DF73CFFA72B6DCACA
SHA256:5EED0B7DF1F8FC376308EB6EC5FBC8BBE8B5B973819E46AB9EFB3091AE27E0D1
7868HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exeC:\found.000\readme.txttext
MD5:1F1D12D79D83E9A5501064D8D558BB78
SHA256:A25E401FBC6131B984D93281054B18EA822CD24EB137F168F7F2DA9AEEB43704
7868HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exeC:\$WinREAgent\RollbackInfo.ini.AHIODbinary
MD5:224AA07A6A13FD1B0BCEF4C7F87C060E
SHA256:C24CDF2D9000DF1145043DA1BA76BD0A04E599C7C2DF43AB5B74F8997DCCF730
7868HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exeC:\found.000\file00000002.chk.AHIODbinary
MD5:75EF6C83F1494D7EC136ABFEE48DA57E
SHA256:CA69F6D603B61B729EF2EAFA2928A8280079F4287A4F9858A3945D40ACC96078
7868HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exeC:\found.000\file00000000.chkbinary
MD5:24D3CC82FAD303681EEA7C53EB75453E
SHA256:EBACF149EEE2E6E95C8B8FD18C7B1F88AD392D5B4548EE962A6999B669191E73
7868HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exeC:\found.000\file00000007.chkbinary
MD5:9A4B43FA7D3D403D22751A6620D03236
SHA256:9C9F1BB93D9B62413363F65636D11AEFD162697E3A0AA9568C22D584F88A6D73
7868HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exeC:\found.000\file00000007.chk.AHIODbinary
MD5:9A4B43FA7D3D403D22751A6620D03236
SHA256:9C9F1BB93D9B62413363F65636D11AEFD162697E3A0AA9568C22D584F88A6D73
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
24
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7716
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7716
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5324
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7868
HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.exe
192.168.100.2:445
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.173
  • 23.48.23.194
  • 23.48.23.145
  • 23.48.23.177
  • 23.48.23.164
  • 23.48.23.176
  • 23.48.23.167
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 88.221.169.152
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.73
  • 40.126.31.2
  • 40.126.31.67
  • 20.190.159.23
  • 20.190.159.71
  • 20.190.159.129
  • 20.190.159.128
  • 20.190.159.2
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HEUR-Trojan-Ransom.Win32.Generic-556a0d488e067fe1ebe6d640e90b7ce12309ba68f8281464deec37908b4e8f5b.7z