File name:

161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.zip

Full analysis: https://app.any.run/tasks/04e961da-5291-41e1-8213-036d2d5aeca7
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: January 24, 2022, 22:36:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ransomware
stop
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract
MD5:

C1ACB33E084DAF418279BAD5C383470B

SHA1:

BAA2F4F5B3655EF427BAA42D5F59E2511C05D1E7

SHA256:

E7314F5F29097BF5E3AC35220E15030FEF9E1DF53753D12352D8420D869725EF

SSDEEP:

12288:9kLHXjgM14/64hT/05NIVoclKU6OwaloRHoCyrrnN7C/s65/WUVVad8b:sjgSuYjIVocgR7gnN70ss//VaM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 3824)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 2320)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 3068)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 3592)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 1764)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 116)

    • Changes settings of System certificates

      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 2320)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 116)

    • Changes the autorun value in the registry

      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 2320)

    • Loads the Task Scheduler COM API

      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 2320)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 3592)

    • STOP was detected

      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 3592)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2180)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 2320)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 3592)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 116)
      • notepad++.exe (PID: 2856)

    • Checks supported languages

      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 2320)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 3824)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 3068)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 3592)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 1764)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 116)
      • notepad++.exe (PID: 2856)
      • WinRAR.exe (PID: 2180)

    • Application launched itself

      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 3824)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 3068)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 2320)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 1764)

    • Adds / modifies Windows certificates

      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 2320)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 116)

    • Uses ICACLS.EXE to modify access control list

      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 2320)

    • Executable content was dropped or overwritten

      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 2320)
      • WinRAR.exe (PID: 2180)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2180)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 2320)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2100)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 3824)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 1764)
      • notepad++.exe (PID: 2856)

    • Checks supported languages

      • explorer.exe (PID: 2100)
      • icacls.exe (PID: 2036)

    • Checks Windows Trust Settings

      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 2320)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 116)

    • Reads settings of System Certificates

      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 2320)
      • 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe (PID: 116)

    • Reads the computer name

      • explorer.exe (PID: 2100)
      • icacls.exe (PID: 2036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
ZipUncompressedSize: 808448
ZipCompressedSize: 716690
ZipCRC: 0xac31dfc4
ZipModifyDate: 2022:01:24 15:40:21
ZipCompression: Unknown (99)
ZipBitFlag: 0x0003
ZipRequiredVersion: 51
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe explorer.exe no specs 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe no specs 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe icacls.exe no specs 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe #STOP 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe 161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe notepad++.exe

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe" C:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
1764"C:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe" C:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2036icacls "C:\Users\admin\AppData\Local\e6b5fd98-65c3-443b-b7ac-7e4123032026" /deny *S-1-1-0:(OI)(CI)(DE,DC)C:\Windows\system32\icacls.exe161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
2100"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2180"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
2320"C:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe" C:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
2856"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe"C:\Program Files\Notepad++\notepad++.exe
Explorer.EXE
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
3221225547
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3068"C:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3592"C:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
3824"C:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe" C:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
9 997
Read events
9 813
Write events
177
Delete events
7

Modification events

(PID) Process:(2180) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2180) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2180) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2180) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2180) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2180) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.zip
(PID) Process:(2180) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2180) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2180) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2180) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
2
Suspicious files
8
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
2320161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:
SHA256:
2320161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\geo[1].jsonbinary
MD5:
SHA256:
3592161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\get[1].htmbinary
MD5:
SHA256:
2320161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:
SHA256:
2320161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
3592161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exeC:\SystemID\PersonalID.txttext
MD5:
SHA256:
3592161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exeC:\Users\admin\AppData\Local\bowsakkdestx.txtbinary
MD5:
SHA256:
2180WinRAR.exeC:\Users\admin\AppData\Local\Temp\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34\161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exeexecutable
MD5:
SHA256:
2320161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dder
MD5:
SHA256:
2320161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
8
DNS requests
7
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2320
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
GET
200
104.18.31.182:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
2320
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0657f48f330ccdd6
US
compressed
4.70 Kb
whitelisted
2320
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
GET
200
104.18.30.182:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
3592
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
GET
200
58.124.228.242:80
http://tzgl.org/fhsgtsspen6/get.php?pid=6E3AAB7CB29BC9495DFDE01272C66F39&first=true
KR
binary
559 b
malicious
3592
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
GET
404
58.124.228.242:80
http://tzgl.org/files/1/build3.exe
KR
html
216 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2320
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
77.123.139.190:443
api.2ip.ua
Volia
UA
suspicious
2320
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2320
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
104.18.31.182:80
ocsp.comodoca.com
Cloudflare Inc
US
unknown
2320
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
104.18.30.182:80
ocsp.comodoca.com
Cloudflare Inc
US
suspicious
116
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
77.123.139.190:443
api.2ip.ua
Volia
UA
suspicious
77.123.139.190:443
api.2ip.ua
Volia
UA
suspicious
3592
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
58.124.228.242:80
tzgl.org
SK Broadband Co Ltd
KR
malicious

DNS requests

Domain
IP
Reputation
api.2ip.ua
  • 77.123.139.190
shared
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.comodoca.com
  • 104.18.31.182
  • 104.18.30.182
whitelisted
ocsp.usertrust.com
  • 104.18.30.182
  • 104.18.31.182
whitelisted
kotob.top
malicious
tzgl.org
  • 58.124.228.242
  • 58.235.189.190
  • 84.40.106.91
  • 95.104.121.111
  • 37.34.176.37
  • 183.100.39.157
  • 186.212.119.117
  • 77.243.64.119
  • 196.200.111.5
  • 197.44.54.172
malicious

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
2320
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3592
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
3592
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
3592
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
A Network Trojan was detected
ET TROJAN Potential Dridex.Maldoc Minimal Executable Request
116
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
3 ETPRO signatures available at the full report
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
161548b327b0ab4197a1f1b0d3bc8668beadbbbdbb05a92d25478f4358733c34.zip