File name:

HKShip.exe

Full analysis: https://app.any.run/tasks/427b7cb3-c636-4187-8cc4-ccf446fae243
Verdict: Malicious activity
Analysis date: May 17, 2025, 22:10:24
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
meshagent
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

92DF804C4C8D1060040395C5DA6F1A59

SHA1:

95B352BC2D087CA3B8B3DD78E5C149E9B16DE8DC

SHA256:

D02F5DE5F7EDF82198D418F461096376A6F758FC982452280A42FCEF31699A4A

SSDEEP:

98304:QSohC3EMMdKaQXSZOz4umd8MYc9dRScnUf9qnnz8h2EYVQcOnFXTh+m3HONHv0gv:CG6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • HKShip.exe (PID: 780)

  • SUSPICIOUS

    • MeshAgent potential remote access (YARA)

      • HKShip.exe (PID: 780)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:08:18 00:07:01+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 13497344
InitializedDataSize: 3273216
UninitializedDataSize: -
EntryPoint: 0x3b0c40
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
98
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #MESHAGENT hkship.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
780"C:\Users\admin\Desktop\HKShip.exe" C:\Users\admin\Desktop\HKShip.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\hkship.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
Total events
9
Read events
9
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
9
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.24.77.4:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
5280
MoUsoCoreWorker.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4a6c63fd64ca95c8
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4dd4673b063e3e0b
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?e938189df1ea2ab1
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?423c998f8c5f5379
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?2dfa98836f4bbe5f
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
184.24.77.4:80
Akamai International B.V.
DE
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5280
MoUsoCoreWorker.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2776
svchost.exe
20.189.173.17:443
v10.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2356
smartscreen.exe
98.64.238.3:443
checkappexec.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
296
svchost.exe
23.199.214.10:443
fs.microsoft.com
AKAMAI-AS
DE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
2768
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.131
  • 40.126.31.67
  • 40.126.31.2
  • 40.126.31.71
  • 40.126.31.129
  • 40.126.31.73
  • 20.190.159.130
whitelisted
v10.events.data.microsoft.com
  • 20.189.173.17
whitelisted
checkappexec.microsoft.com
  • 98.64.238.3
whitelisted
fs.microsoft.com
  • 23.199.214.10
whitelisted
self.events.data.microsoft.com
  • 104.208.16.95
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HKShip.exe