File name:

AtomSilo.7z

Full analysis: https://app.any.run/tasks/e97bd02a-730c-4b27-86ca-d3f605ef29fa
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 12, 2025, 15:46:53
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

96FEF083A6E156A2F4FCE61C1475D578

SHA1:

436C55055FD328F594361EC4DCC7DEFC378F7C5D

SHA256:

E2D4AD9AA3199BC6FB597C65702284A968DF3D09644F170CB8B36298BA5D7E9B

SSDEEP:

98304:UrCYeGH1XTueuZDWCizbqGK/7jkXiGNoWxJXgeGuDcpzWY5i+hdng7dGZcbhD9g9:dSBdvBZa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RANSOMWARE has been detected

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • Drops known malicious document

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • Process drops legitimate windows executable

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • Reads security settings of Internet Explorer

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • The process drops C-runtime libraries

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • Connects to unusual port

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • Executable content was dropped or overwritten

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

  • INFO

    • Manual execution by a user

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)
      • mshta.exe (PID: 5416)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3884)

    • Checks proxy server information

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)
      • slui.exe (PID: 4988)

    • Creates files in the program directory

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • The sample compiled with english language support

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • Reads the computer name

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • Reads the software policy settings

      • slui.exe (PID: 5956)
      • slui.exe (PID: 4988)

    • The sample compiled with german language support

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • Checks supported languages

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • The sample compiled with portuguese language support

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • The sample compiled with french language support

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • The sample compiled with russian language support

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • The sample compiled with japanese language support

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • The sample compiled with korean language support

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • The sample compiled with spanish language support

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • The sample compiled with Italian language support

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)

    • The sample compiled with turkish language support

      • 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe (PID: 6048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2021:12:19 22:52:41+00:00
ArchivedFileName: 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe THREAT 5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe conhost.exe no specs slui.exe mshta.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3884"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\AtomSilo.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4452C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4988C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5416"C:\Windows\SysWOW64\mshta.exe" "C:\README-FILE-DESKTOP-JGLLJLD-1747064831.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} C:\Windows\SysWOW64\mshta.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
5956"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6048"C:\Users\admin\Desktop\5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe" C:\Users\admin\Desktop\5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6644\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 842
Read events
2 817
Write events
25
Delete events
0

Modification events

(PID) Process:(3884) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3884) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3884) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3884) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\AtomSilo.7z
(PID) Process:(3884) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3884) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3884) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3884) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3884) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3884) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
159
Suspicious files
2 588
Text files
11 009
Unknown types
1

Dropped files

PID
Process
Filename
Type
60485f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exeC:\$WinREAgent\Backup\Winre.wim.ATOMSILO
MD5:
SHA256:
60485f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exeC:\$WinREAgent\Scratch\update.wim.ATOMSILO
MD5:
SHA256:
60485f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exeC:\Users\Public\index.htmlhtml
MD5:E0A789DAEECBFBE384EA41CE2CC066BD
SHA256:13E6BAE19525009432FDEFBF2872EB44C2246B13C228E09F2160812134B0B617
60485f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exeC:\$WinREAgent\README-FILE-DESKTOP-JGLLJLD-1747064831.htahtml
MD5:E0A789DAEECBFBE384EA41CE2CC066BD
SHA256:13E6BAE19525009432FDEFBF2872EB44C2246B13C228E09F2160812134B0B617
60485f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exeC:\$WinREAgent\Rollback\README-FILE-DESKTOP-JGLLJLD-1747064831.htahtml
MD5:E0A789DAEECBFBE384EA41CE2CC066BD
SHA256:13E6BAE19525009432FDEFBF2872EB44C2246B13C228E09F2160812134B0B617
60485f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exeC:\$WinREAgent\Backup\README-FILE-DESKTOP-JGLLJLD-1747064831.htahtml
MD5:E0A789DAEECBFBE384EA41CE2CC066BD
SHA256:13E6BAE19525009432FDEFBF2872EB44C2246B13C228E09F2160812134B0B617
60485f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exeC:\README-FILE-DESKTOP-JGLLJLD-1747064831.htahtml
MD5:E0A789DAEECBFBE384EA41CE2CC066BD
SHA256:13E6BAE19525009432FDEFBF2872EB44C2246B13C228E09F2160812134B0B617
60485f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exeC:\$WinREAgent\Backup\ReAgent.xml.ATOMSILOxml
MD5:CC8F4479ACCDAD829F622369C1C91BB2
SHA256:2B50529F157707DE79A76B39344CD2526EB015B3CDA5727CC010537AA3CBF084
3884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3884.13277\5f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exeexecutable
MD5:5559E9F5E1645F8554EA020A29A5A3EE
SHA256:5F614A8E35BD80A603CF98846C6A44030AD18BED45AC83BD2110D83E8A090DE4
60485f614a8e35bd80a603cf98846c6a44030ad18bed45ac83bd2110d83e8a090de4.exeC:\$WinREAgent\Backup\location.txt.ATOMSILOtext
MD5:F09B8CA2E0F41BA2270F6EF5062BB1A8
SHA256:E4C22462C0619D55326E12995176E7A5D14C16E1F6791F0F8C7E55034AAB1D35
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
26
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
104.124.11.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
104.124.11.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6944
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
104.124.11.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
104.124.11.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:137
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 104.124.11.19
  • 104.124.11.58
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.131
  • 40.126.31.2
  • 20.190.159.128
  • 20.190.159.71
  • 20.190.159.130
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AtomSilo.7z