File name:

BitPaymer.exe

Full analysis: https://app.any.run/tasks/700d9d4e-6b49-4e81-8cdc-11d20fedc14f
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 16, 2025, 00:22:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 8 sections
MD5:

998246BD0E51F9582B998CA514317C33

SHA1:

5A2D799AC4CCA8954FC117C7FB3E868F93C6F009

SHA256:

D693C33DD550529F3634E3C7E53D82DF70C9D4FBD0C339DBC1849ADA9E539EA2

SSDEEP:

1536:gXfhIH8nkVK++cGhvca9yvncV2bdL/SY4EUZqSu5PN:g6H8kVK+nGzEYKKPr0Su5F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • BitPaymer.exe (PID: 3756)

    • RANSOMWARE has been detected

      • Hl5R0ka:exe (PID: 2220)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • BitPaymer.exe (PID: 3756)
      • XyD.exe (PID: 3148)

    • Starts CMD.EXE for commands execution

      • BitPaymer.exe (PID: 3756)

    • Reads security settings of Internet Explorer

      • BitPaymer.exe (PID: 3756)

    • Detected use of alternative data streams (AltDS)

      • BitPaymer.exe (PID: 3756)
      • conhost.exe (PID: 5496)
      • sAtjtAj:exe (PID: 6980)
      • Hl5R0ka:exe (PID: 2220)
      • XyD.exe (PID: 3148)
      • conhost.exe (PID: 320)

    • Executable content was dropped or overwritten

      • BitPaymer.exe (PID: 3756)
      • XyD.exe (PID: 3148)

    • Starts itself from another location

      • BitPaymer.exe (PID: 3756)
      • XyD.exe (PID: 3148)

    • Starts application with an unusual extension

      • BitPaymer.exe (PID: 3756)
      • XyD.exe (PID: 3148)

    • The executable file from the user directory is run by the CMD process

      • XyD.exe (PID: 3148)

    • Reads the date of Windows installation

      • sAtjtAj:exe (PID: 6980)
      • Hl5R0ka:exe (PID: 2220)

    • Starts NET.EXE for network exploration

      • sAtjtAj:exe (PID: 6980)

    • Creates file in the systems drive root

      • Hl5R0ka:exe (PID: 2220)

    • The process creates files with name similar to system file names

      • Hl5R0ka:exe (PID: 2220)

  • INFO

    • Creates files or folders in the user directory

      • BitPaymer.exe (PID: 3756)
      • XyD.exe (PID: 3148)

    • The sample compiled with english language support

      • BitPaymer.exe (PID: 3756)
      • XyD.exe (PID: 3148)

    • Checks supported languages

      • BitPaymer.exe (PID: 3756)
      • sAtjtAj:exe (PID: 6980)
      • Hl5R0ka:exe (PID: 2220)
      • XyD.exe (PID: 3148)

    • Reads the computer name

      • BitPaymer.exe (PID: 3756)
      • sAtjtAj:exe (PID: 6980)
      • Hl5R0ka:exe (PID: 2220)

    • Launching a file from a Registry key

      • BitPaymer.exe (PID: 3756)

    • Reads the machine GUID from the registry

      • BitPaymer.exe (PID: 3756)
      • XyD.exe (PID: 3148)
      • sAtjtAj:exe (PID: 6980)
      • Hl5R0ka:exe (PID: 2220)

    • Process checks computer location settings

      • BitPaymer.exe (PID: 3756)

    • Creates files in the program directory

      • Hl5R0ka:exe (PID: 2220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:07:01 04:08:13+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 20480
InitializedDataSize: 106496
UninitializedDataSize: -
EntryPoint: 0x1ee0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows command line
FileVersionNumber: 10.0.10586.9
ProductVersionNumber: 10.0.10586.9
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: ApiSet Stub DLL
FileVersion: 10.0.10586.9 (th2_release.151110-1756)
InternalName: apisetstub
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: apisetstub
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.10586.9
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
12
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bitpaymer.exe conhost.exe no specs cmd.exe conhost.exe no specs satjtaj:exe no specs conhost.exe no specs xyd.exe THREAT hl5r0ka:exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeBitPaymer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeHl5R0ka:exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2220C:\Users\admin\AppData\Local\Hl5R0ka:exe 3 C:\Users\admin\AppData\Local\oRg6qZ\XyD.exeC:\Users\admin\AppData\Local\Hl5R0ka:exe
XyD.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\hl5r0ka:exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2348"C:\WINDOWS\SysWOW64\cmd.exe" /c C:\Users\admin\AppData\Local\oRg6qZ\XyD.exe 2C:\Windows\SysWOW64\cmd.exe
BitPaymer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2764C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3148C:\Users\admin\AppData\Local\oRg6qZ\XyD.exe 2C:\Users\admin\AppData\Local\oRg6qZ\XyD.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\org6qz\xyd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3756"C:\Users\admin\Desktop\BitPaymer.exe" C:\Users\admin\Desktop\BitPaymer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\bitpaymer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesAtjtAj:exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6160C:\WINDOWS\system32\net.exe viewC:\Windows\SysWOW64\net.exesAtjtAj:exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 577
Read events
2 576
Write events
1
Delete events
0

Modification events

(PID) Process:(3756) BitPaymer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SFJsBikfELt8B
Value:
C:\Users\admin\AppData\Local\rOGN64B\g7QE.exe
Executable files
2
Suspicious files
405
Text files
852
Unknown types
0

Dropped files

PID
Process
Filename
Type
3756BitPaymer.exeC:\Users\admin\AppData\Local\oRg6qZ\XyD.exebinary
MD5:26E6A034A14A291972C94FF480EA35D7
SHA256:8344838622218BBEB45F589318A120903EEF3835616B20DA852E3D3E66484AB0
3148XyD.exeC:\Users\admin\AppData\Local\Hl5R0ka:exeexecutable
MD5:998246BD0E51F9582B998CA514317C33
SHA256:D693C33DD550529F3634E3C7E53D82DF70C9D4FBD0C339DBC1849ADA9E539EA2
2220Hl5R0ka:exeC:\$WinREAgent\Rollback.xmltext
MD5:76390D3429BA451F1E37DAAE6BC85B51
SHA256:31D694956DDCDB8B2D61EE7B91BEB5AF37CE0557B6CA44438D2C3CA9F96C56D9
3756BitPaymer.exeC:\Users\admin\AppData\Local\sAtjtAj:exeexecutable
MD5:998246BD0E51F9582B998CA514317C33
SHA256:D693C33DD550529F3634E3C7E53D82DF70C9D4FBD0C339DBC1849ADA9E539EA2
2220Hl5R0ka:exeC:\$WinREAgent\Rollback.xml.lockedbinary
MD5:2A204150075EA1691462F3C327667442
SHA256:8A290CEE391040D35321F94441EEA7F347E6F657A65223334360E362DF29B5CA
3756BitPaymer.exeC:\Users\admin\AppData\Local\rOGN64B\g7QE.exebinary
MD5:9755382E97797A54700CE6CEB7EF1042
SHA256:A493F402FC3AE2386671536F6FE62D47DDA7664D133CA228316D59460CA2C27C
2220Hl5R0ka:exeC:\$WinREAgent\Backup\location.txt.readme_txttext
MD5:51FAB08A170E3C398E696A5D36CDE259
SHA256:BAB1199A9B43D11429C79F0B15C7E8C8D61EC612ACA223AA66FD253EAB11F1CB
2220Hl5R0ka:exeC:\$WinREAgent\Backup\location.txttext
MD5:76390D3429BA451F1E37DAAE6BC85B51
SHA256:31D694956DDCDB8B2D61EE7B91BEB5AF37CE0557B6CA44438D2C3CA9F96C56D9
2220Hl5R0ka:exeC:\found.000\file00000000.chktext
MD5:76390D3429BA451F1E37DAAE6BC85B51
SHA256:31D694956DDCDB8B2D61EE7B91BEB5AF37CE0557B6CA44438D2C3CA9F96C56D9
2220Hl5R0ka:exeC:\$WinREAgent\RollbackInfo.ini.lockedbinary
MD5:25925AC443096B366E544D807812940F
SHA256:B6C7A35C1528D556106EC5A780A4AF4697D3ECA18287B115C65C3A64CD1E7D2C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
21
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1128
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2288
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1128
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5116
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.12
  • 184.24.77.37
  • 184.24.77.6
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
login.live.com
  • 20.190.159.68
  • 40.126.31.131
  • 20.190.159.129
  • 20.190.159.128
  • 20.190.159.75
  • 40.126.31.1
  • 40.126.31.71
  • 20.190.159.73
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BitPaymer.exe