Malware analysis WindowsProject1.exe Malicious activity

Add for printing

File name:	WindowsProject1.exe
Full analysis:	https://app.any.run/tasks/f9c5fb93-808c-4dae-9a3b-8fcb0215258c
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	February 26, 2026, 00:52:48
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	ransomware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	AA3EDE5FF7EA7F97EB8EB0B1E7E98162
SHA1:	231DACA4D4D319E30CF79CA4F074DDEF5DB25965
SHA256:	E760DA292FB5875A25A4D8CDE2E1FE535188A43069AEC6A43D7DA1CCEA35DF49
SSDEEP:	98304:AW8tdhe4YrluF+3tYLVeRQSLT3gyyO7Nb/PAXMXOkddcg1k2/KBpOwtaAXZi4fQS:2FzENeyr8b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: off

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- RANSOMWARE has been detected
  - WindowsProject1.exe (PID: 8388)
- Create files in the Startup directory
  - WindowsProject1.exe (PID: 8388)
SUSPICIOUS
- Reads the date of Windows installation
  - StartMenuExperienceHost.exe (PID: 3036)
  - SearchApp.exe (PID: 6032)
- The system shut down or reboot
  - WindowsProject1.exe (PID: 8388)
- Write to the desktop.ini file (may be used to cloak folders)
  - WindowsProject1.exe (PID: 8388)
INFO
- Reads the computer name
  - WindowsProject1.exe (PID: 8388)
  - StartMenuExperienceHost.exe (PID: 3036)
  - TextInputHost.exe (PID: 2756)
  - SearchApp.exe (PID: 7344)
  - SearchApp.exe (PID: 6032)
- Checks supported languages
  - WindowsProject1.exe (PID: 8388)
  - StartMenuExperienceHost.exe (PID: 3036)
  - TextInputHost.exe (PID: 2756)
  - SearchApp.exe (PID: 7344)
  - SearchApp.exe (PID: 6032)
- Process checks computer location settings
  - StartMenuExperienceHost.exe (PID: 3036)
  - SearchApp.exe (PID: 7344)
  - SearchApp.exe (PID: 6032)
- Reads security settings of Internet Explorer
  - StartMenuExperienceHost.exe (PID: 3036)
- Create files in a temporary directory
  - WindowsProject1.exe (PID: 8388)
- Checks proxy server information
  - slui.exe (PID: 4760)
  - SearchApp.exe (PID: 7344)
  - SearchApp.exe (PID: 6032)
- Reads the machine GUID from the registry
  - SearchApp.exe (PID: 7344)
- Drops script file
  - SearchApp.exe (PID: 7344)
  - WindowsProject1.exe (PID: 8388)
- There is functionality for taking screenshot (YARA)
  - WindowsProject1.exe (PID: 8388)
- Launching a file from the Startup directory
  - WindowsProject1.exe (PID: 8388)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2026:02:25 23:29:44+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.44
CodeSize:	104448
InitializedDataSize:	3840512
UninitializedDataSize:	-
EntryPoint:	0x1e81
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

169

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2756

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

3036

"C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

—

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\windows\systemapps\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\startmenuexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wincorlib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll

3304

C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -Embedding

C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Modules Installer Worker

Exit code:

Version:

10.0.19041.3989 (WinBuild.160101.0800)

Modules

Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll

4760

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

5868

shutdown /r /t 300 /c "Dans 5 minutes tu n'as plus de PC fils de viol, le 18-25 t'a bien baiser le cul"

C:\Windows\SysWOW64\shutdown.exe

—

WindowsProject1.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Shutdown and Annotation Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\shutdown.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6032

"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Search application

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\combase.dll

7344

"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Search application

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\combase.dll

7396

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

shutdown.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

8388

"C:\Users\admin\AppData\Local\Temp\WindowsProject1.exe"

C:\Users\admin\AppData\Local\Temp\WindowsProject1.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\appdata\local\temp\windowsproject1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

8912

"C:\Users\admin\AppData\Local\Temp\WindowsProject1.exe"

C:\Users\admin\AppData\Local\Temp\WindowsProject1.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\windowsproject1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

Add for printing

Total events

16 348

Read events

15 556

Write events

Delete events

723

Modification events


(PID) Process:	(3036) StartMenuExperienceHost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties
Operation:	write	Name:	Completed
Value: 1
(PID) Process:	(3036) StartMenuExperienceHost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties_AppUsageData
Operation:	write	Name:	Completed
Value: 1
(PID) Process:	(3036) StartMenuExperienceHost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties_TargetedContentTiles
Operation:	write	Name:	Completed
Value: 1
(PID) Process:	(3036) StartMenuExperienceHost.exe	Key:	\REGISTRY\A\{8d5d005f-2f4c-d94b-7ea4-0581eb57d0a2}\LocalState\DataCorruptionRecovery
Operation:	write	Name:	InitializationAttemptCount
Value: 00000000CE3F0245BAA6DC01
(PID) Process:	(3036) StartMenuExperienceHost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$de${c6a388c9-afd3-47e2-a46b-29cb43ad4323}$start.tilegrid$windows.data.curatedtilecollection.tilecollection\Current
Operation:	write	Name:	Data
Value: 020000001DF90445BAA6DC0100000000434201000A0A00D0140CCA3200CB8C0A0212267B00410039003400310034003200440039002D0032003100350030002D0034003600380037002D0038003600390033002D003100450036003200320036003500390039003900430031007D000012267B00390033004600380044003900390046002D0036003500300041002D0034003100330035002D0038004200340043002D003200460046004100410041003300450046004600340039007D0000E22C01010000
(PID) Process:	(3304) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31237818
(PID) Process:	(3304) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value:
(PID) Process:	(3036) StartMenuExperienceHost.exe	Key:	\REGISTRY\A\{8d5d005f-2f4c-d94b-7ea4-0581eb57d0a2}\LocalState\DataCorruptionRecovery
Operation:	write	Name:	InitializationAttemptCount
Value: 010000003C1ADC44BAA6DC01
(PID) Process:	(7344) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:	write	Name:	SafeSearchMode
Value: 1
(PID) Process:	(7344) SearchApp.exe	Key:	\REGISTRY\A\{3c61bbb3-156d-18f6-4d56-671c5901df94}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_USEREMAIL
Value: 0000E8DB1E45BAA6DC01

Add for printing

Executable files

Suspicious files

4 592

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
8388	WindowsProject1.exe	\Device\Harddisk0\DR0		—
		MD5:—	SHA256:—
3304	TiWorker.exe	C:\Windows\Logs\CBS\CBS.log		—
		MD5:—	SHA256:—
8388	WindowsProject1.exe	C:\Users\admin\AppData\Local\Temp\WinServicePackages\Asset2.bin		image
		MD5:09339D72CF2D283B70FEE5B112CFC136	SHA256:369946FA304C7066F8D1B0C3EA38B986687ABA7A44F3888B83BDE75D203C7FAB
8388	WindowsProject1.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface		binary
		MD5:B01B5C71758144426751EABFE364C66B	SHA256:0A64ED368EE799E50156B041776FB28D2004B90BA68AA7FE4D68A1A60119CB57
8388	WindowsProject1.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner		binary
		MD5:5907C7BE3FF3274AD3F4B8D7B74C4B65	SHA256:F2FA0F3F04D14FBF2E2045EF613E14C35F959B708377C7755B9328918A4D2FE2
8388	WindowsProject1.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat		binary
		MD5:3C7864086B381C41CE2AB2E312173C32	SHA256:82653D152BD9794CC45FD946E872B9C8B2365FD9F734A890A7315BE37CF527BE
8388	WindowsProject1.exe	C:\Users\admin\3D Objects\desktop.ini		binary
		MD5:45B76E5DC4FBE34E85D445150E1B36CF	SHA256:F4C16EA2057751CD062BD6EAF3DCF87D0CFF1F806C1B529498002DCACF0C5D7B
8388	WindowsProject1.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention		binary
		MD5:0F3B488C0EAEC21D26E3813425555C15	SHA256:3EBEB78F723AB5BA4401CBDEFBDDA4CBE51AC2CCE37CB916FB81B8E2BB2A5557
8388	WindowsProject1.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents		binary
		MD5:5EC6DC68570A54A72D71DECC4B4F879C	SHA256:9A24B0FE144685AB8E07CDF207C1C18ACBFFDC60F85287430E2C68DCEBBF878A
7344	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\95d9a2a97a42f02325559b453ba7f8fe839baa18.tbres		binary
		MD5:6EAE91B229CB0DEC9F86322CF4C4F289	SHA256:508BE56BB8F6F6346FE2E7A383C86B335F5FE7BB28930E3036A4E3602DD974FA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

WindowsProject1.exe

AA3EDE5FF7EA7F97EB8EB0B1E7E98162

231DACA4D4D319E30CF79CA4F074DDEF5DB25965

E760DA292FB5875A25A4D8CDE2E1FE535188A43069AEC6A43D7DA1CCEA35DF49

98304:AW8tdhe4YrluF+3tYLVeRQSLT3gyyO7Nb/PAXMXOkddcg1k2/KBpOwtaAXZi4fQS:2FzENeyr8b

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

RANSOMWARE has been detected

Create files in the Startup directory

SUSPICIOUS

Reads the date of Windows installation

The system shut down or reboot

Write to the desktop.ini file (may be used to cloak folders)

INFO

Reads the computer name

Checks supported languages

Process checks computer location settings

Reads security settings of Internet Explorer

Create files in a temporary directory

Checks proxy server information

Reads the machine GUID from the registry

Drops script file

There is functionality for taking screenshot (YARA)

Launching a file from the Startup directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings