File name:

Jack_Ketch_V4.exe

Full analysis: https://app.any.run/tasks/46f3e9ba-4816-40a3-8dc1-a3e637119658
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 05, 2025, 06:50:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 11 sections
MD5:

FA0F0B492B6C2348A6D9EC8A36795B47

SHA1:

D182EB355D426B58DD3733158EB41CE9C78D6FDE

SHA256:

F60DD7FD764EBFF64B98EB613BB98B58A811F76F00A5428D984FA1C9B6105C4A

SSDEEP:

49152:yX6XGILRbDVTkh5Cx8ilflFrFMNrv5hKsCwN:mTI/96HKsxN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RANSOMWARE has been detected

      • Jack_Ketch_V4.exe (PID: 5772)
      • Jack_Ketch_V4.exe (PID: 1168)

    • Writes a file to the Word startup folder

      • Jack_Ketch_V4.exe (PID: 1168)

    • Drops known malicious image

      • Jack_Ketch_V4.exe (PID: 1168)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • Jack_Ketch_V4.exe (PID: 5772)
      • Jack_Ketch_V4.exe (PID: 1168)

    • Executable content was dropped or overwritten

      • Jack_Ketch_V4.exe (PID: 5772)
      • Jack_Ketch_V4.exe (PID: 1168)

    • Process drops legitimate windows executable

      • Jack_Ketch_V4.exe (PID: 1168)

    • The process drops C-runtime libraries

      • Jack_Ketch_V4.exe (PID: 1168)

  • INFO

    • Checks supported languages

      • Jack_Ketch_V4.exe (PID: 5772)
      • Jack_Ketch_V4.exe (PID: 1168)

    • Creates files in the program directory

      • Jack_Ketch_V4.exe (PID: 5772)
      • Jack_Ketch_V4.exe (PID: 1168)

    • Manual execution by a user

      • cmd.exe (PID: 7184)

    • Creates files or folders in the user directory

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with english language support

      • Jack_Ketch_V4.exe (PID: 5772)
      • Jack_Ketch_V4.exe (PID: 1168)

    • Create files in a temporary directory

      • Jack_Ketch_V4.exe (PID: 1168)

    • SQLite executable

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with arabic language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with korean language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with japanese language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with bulgarian language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with czech language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with german language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with spanish language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with french language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with Indonesian language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with Italian language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with portuguese language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with polish language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with russian language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with slovak language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with swedish language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with turkish language support

      • Jack_Ketch_V4.exe (PID: 1168)

    • The sample compiled with chinese language support

      • Jack_Ketch_V4.exe (PID: 1168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:05 06:49:46+00:00
ImageFileCharacteristics: Executable, No line numbers, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.41
CodeSize: 744448
InitializedDataSize: 995840
UninitializedDataSize: 1024
EntryPoint: 0x13f0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT jack_ketch_v4.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe conhost.exe no specs THREAT jack_ketch_v4.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1168.\Jack_Ketch_V4.exeC:\Users\admin\AppData\Local\Temp\Jack_Ketch_V4.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\jack_ketch_v4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\userenv.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\kernel.appcore.dll
2692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4892\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeJack_Ketch_V4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5772"C:\Users\admin\AppData\Local\Temp\Jack_Ketch_V4.exe" C:\Users\admin\AppData\Local\Temp\Jack_Ketch_V4.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\jack_ketch_v4.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
5972C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
6040"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7184"C:\WINDOWS\system32\cmd.exe" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
8156C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
1 218
Read events
1 218
Write events
0
Delete events
0

Modification events

No data
Executable files
786
Suspicious files
5 819
Text files
1 390
Unknown types
0

Dropped files

PID
Process
Filename
Type
5772Jack_Ketch_V4.exeC:\bootTel.datbinary
MD5:37430F605EE929C1604D970C8E4210C2
SHA256:70D36606EC14F122B51ACF893ED881633F8EE2B782DB0F16912D683B5C224956
5772Jack_Ketch_V4.exeC:\ProgramData\USOShared\Logs\User\NotifyIcon.b704194b-0449-4f67-97f0-3d5eae337cbd.1.etlbinary
MD5:A60F2616EF9E26EF2723612B6926E97E
SHA256:DC7F0883E7EA5E324DEA8673A3E68E0A3C3CDE25F92DE8F262A7C9F6B4D28341
5772Jack_Ketch_V4.exeC:\ProgramData\USOShared\Logs\User\UpdateUx.94ea639f-89c3-4817-855e-65e0f8ae1dcd.15.etlbinary
MD5:3EC46AFDB402970A56D628F30332A06A
SHA256:0B0FA8B57EAC4CE9DA5FB6A6D2659F273F28325C5D4DCD74D554C949D08B4F3F
5772Jack_Ketch_V4.exeC:\ProgramData\Microsoft OneDrive\setup\refcount.inibinary
MD5:5DD97594C3DEF03756451E6408954491
SHA256:5DF6E0E2761359D30A8275058E299FCC0381534545F55CF43E41983F5D4C9456
5772Jack_Ketch_V4.exeC:\ProgramData\USOShared\Logs\User\NotificationUx.97e3dd05-463c-449d-901f-a93a520f542c.1.etlbinary
MD5:CC21EF6A19A5644EE43F3000DDDE8673
SHA256:A53E90BCC8C59993DF977259425ADE22F804E03FAEFAA40E8399C83F2596CABC
5772Jack_Ketch_V4.exeC:\ProgramData\USOShared\Logs\User\NotificationUx.a706f7c2-bd98-4de8-b5d0-cd669e6768de.1.etlbinary
MD5:5F634FE3D8A135F55958D70902799684
SHA256:5D927B31CB0F324B877AFE6E9C7B57FF337B9AD59DAFAF53D600743F3DE07B9B
5772Jack_Ketch_V4.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\UpdateLock-308046B0AF4A39CBbinary
MD5:5DD97594C3DEF03756451E6408954491
SHA256:5DF6E0E2761359D30A8275058E299FCC0381534545F55CF43E41983F5D4C9456
5772Jack_Ketch_V4.exeC:\ProgramData\USOShared\Logs\User\NotifyIcon.c479afc8-f865-4c21-b3f7-3c18fefb7e54.1.etlbinary
MD5:4133DB47B0993DF22595B446ABB53030
SHA256:4FF0FC9A6D00E7439AB16865072C2784ED9BFF78F824F805E80A74BDE8780815
5772Jack_Ketch_V4.exeC:\ProgramData\USOShared\Logs\User\NotifyIcon.bba7342a-f6da-4c0b-b860-0d95c6df2151.1.etlbinary
MD5:C6E248C777DDC9DD876238ECD2FCD7BD
SHA256:D05B6A83687D28769C50EC915991604E52168F7BC6492E3FF4C9197C530A59F9
5772Jack_Ketch_V4.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\profile_count_308046B0AF4A39CB.jsonbinary
MD5:C42E0AD5EC5EDDB563D55DED86352073
SHA256:68CD29ED8818B9D5C1409D810FC739E4925587ED1F2146F0861284E83EB4B9F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
34
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4728
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4728
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4616
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
616
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.187.174
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.160.64
  • 40.126.32.140
  • 20.190.160.17
  • 20.190.160.130
  • 20.190.160.65
  • 20.190.160.66
  • 40.126.32.74
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
www.bing.com
  • 2.23.227.138
  • 2.23.227.142
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
th.bing.com
  • 2.19.96.82
  • 2.19.96.83
  • 2.19.96.35
  • 2.19.96.107
  • 2.19.96.66
  • 2.19.96.129
  • 2.19.96.11
  • 2.19.96.120
  • 2.19.96.130
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Jack_Ketch_V4.exe