File name:

svc32.exe

Full analysis: https://app.any.run/tasks/738e5fa6-de86-4a99-9c4b-3e94b834a489
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 20, 2022, 04:25:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
loader
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1DE374AC2F6315AA8B9F8FF8FB0D4318

SHA1:

2F861190743DA5782222283DDB5EBD19DFBB1A04

SHA256:

08A3578E67B4D1A7B3054C66E507B63EFC522AF25AEE48215DA344EF0140492B

SSDEEP:

12288:hdhguPN/STULq0KYQHcf0CBY32JkXoQhsP764a1fV6b9:hdFPN/Sro0CB7kYesP7LyfE9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was injected by another process

      • svchost.exe (PID: 864)

    • Runs injected code in another process

      • powercfg.exe (PID: 2432)

    • Drops executable file immediately after starts

      • rundll32.exe (PID: 2400)

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2400)

    • Application was dropped or rewritten from another process

      • chromedriver-75.0.3770.100.exe (PID: 2180)

    • Stealing of credential data

      • rundll32.exe (PID: 2400)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 2400)

  • SUSPICIOUS

    • Checks supported languages

      • svc32.exe (PID: 3052)
      • svchost.exe (PID: 864)
      • chromedriver-75.0.3770.100.exe (PID: 2180)

    • Executed as Windows Service

      • powercfg.exe (PID: 2432)

    • Creates files in the program directory

      • powercfg.exe (PID: 2432)

    • Reads Microsoft Outlook installation path

      • powercfg.exe (PID: 2432)

    • Removes files from Windows directory

      • powercfg.exe (PID: 2432)

    • Creates files in the Windows directory

      • powercfg.exe (PID: 2432)

    • Reads the computer name

      • svc32.exe (PID: 3052)
      • chromedriver-75.0.3770.100.exe (PID: 2180)

    • Executed via COM

      • DllHost.exe (PID: 3064)
      • explorer.exe (PID: 1388)

    • Uses SYSTEMINFO.EXE to read environment

      • svc32.exe (PID: 3052)

    • Executable content was dropped or overwritten

      • svc32.exe (PID: 3052)
      • rundll32.exe (PID: 2400)

    • Drops a file with a compile date too recent

      • svc32.exe (PID: 3052)
      • rundll32.exe (PID: 2400)
      • chrome.exe (PID: 2408)

    • Drops a file that was compiled in debug mode

      • svc32.exe (PID: 3052)
      • rundll32.exe (PID: 2400)

    • Uses RUNDLL32.EXE to load library

      • svc32.exe (PID: 3052)

    • Reads the cookies of Google Chrome

      • rundll32.exe (PID: 2400)

  • INFO

    • Checks supported languages

      • DllHost.exe (PID: 3064)
      • systeminfo.exe (PID: 2652)
      • powercfg.exe (PID: 2432)
      • explorer.exe (PID: 1388)
      • rundll32.exe (PID: 2400)
      • ctfmon.exe (PID: 904)
      • explorer.exe (PID: 2568)
      • chrome.exe (PID: 2408)
      • chrome.exe (PID: 2132)
      • chrome.exe (PID: 1104)
      • chrome.exe (PID: 2632)
      • chrome.exe (PID: 2968)
      • chrome.exe (PID: 2256)
      • chrome.exe (PID: 2476)
      • chrome.exe (PID: 1916)
      • chrome.exe (PID: 1432)
      • chrome.exe (PID: 2496)
      • chrome.exe (PID: 2064)
      • chrome.exe (PID: 2356)
      • chrome.exe (PID: 2564)
      • chrome.exe (PID: 2312)

    • Reads CPU info

      • powercfg.exe (PID: 2432)

    • Reads the computer name

      • DllHost.exe (PID: 3064)
      • systeminfo.exe (PID: 2652)
      • powercfg.exe (PID: 2432)
      • rundll32.exe (PID: 2400)
      • ctfmon.exe (PID: 904)
      • explorer.exe (PID: 2568)
      • explorer.exe (PID: 1388)
      • chrome.exe (PID: 2408)
      • chrome.exe (PID: 2968)
      • chrome.exe (PID: 1104)
      • chrome.exe (PID: 2064)
      • chrome.exe (PID: 2564)

    • Checks Windows Trust Settings

      • svc32.exe (PID: 3052)

    • Reads settings of System Certificates

      • svc32.exe (PID: 3052)
      • chrome.exe (PID: 1104)

    • Dropped object may contain Bitcoin addresses

      • rundll32.exe (PID: 2400)

    • Reads the hosts file

      • chrome.exe (PID: 2408)
      • chrome.exe (PID: 1104)

    • Dropped object may contain TOR URL's

      • rundll32.exe (PID: 2400)

    • Reads the date of Windows installation

      • chrome.exe (PID: 2564)

    • Application launched itself

      • chrome.exe (PID: 2408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

FileSubtype: -
ObjectFileType: Static library
FileOS: Unknown (0x60474)
FileFlags: Private build, Info inferred, Special build
FileFlagsMask: 0x058c
ProductVersionNumber: 23.0.0.0
FileVersionNumber: 52.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x27df
UninitializedDataSize: -
InitializedDataSize: 577024
CodeSize: 64512
LinkerVersion: 9
PEType: PE32
TimeStamp: 2021:04:24 23:29:16+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 24-Apr-2021 21:29:16
Detected languages:
  • Croatian - Croatia
Debug artifacts:
  • C:\hibutola\lefunijixac xebopesanade-nexubi\betoxi.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 24-Apr-2021 21:29:16
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000FBF0
0x0000FC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.70341
.rdata
0x00011000
0x0006FB1E
0x0006FC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.47444
.data
0x00081000
0x0000D168
0x00008800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.67012
.rsrc
0x0008F000
0x0000E760
0x0000E800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.22912

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.38826
504
UNKNOWN
Croatian - Croatia
RT_VERSION
2
5.72592
2216
UNKNOWN
Croatian - Croatia
RT_ICON
3
6.02282
1384
UNKNOWN
Croatian - Croatia
RT_ICON
4
6.00305
9640
UNKNOWN
Croatian - Croatia
RT_ICON
5
6.07279
4264
UNKNOWN
Croatian - Croatia
RT_ICON
6
5.99717
2440
UNKNOWN
Croatian - Croatia
RT_ICON
7
6.0879
1128
UNKNOWN
Croatian - Croatia
RT_ICON
8
5.68611
3752
UNKNOWN
Croatian - Croatia
RT_ICON
9
5.76937
2216
UNKNOWN
Croatian - Croatia
RT_ICON
10
5.56158
1736
UNKNOWN
Croatian - Croatia
RT_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
WINHTTP.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
69
Monitored processes
24
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start inject drop and start svc32.exe powercfg.exe no specs svchost.exe DllHost.exe no specs systeminfo.exe no specs rundll32.exe explorer.exe no specs explorer.exe no specs ctfmon.exe no specs chromedriver-75.0.3770.100.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
864C:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpnpmgr.dll
c:\windows\system32\spinf.dll
c:\windows\system32\user32.dll
904ctfmon.exeC:\Windows\system32\ctfmon.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1104"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1164,5018469898932602472,3760733780012174991,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-logging --ignore-certificate-errors --log-level=0 --ignore-certificate-errors --user-data-dir="C:\Users\admin\AppData\Local\Google\Chrome\515184DC-EFC3-4B51-8E69-830A033E97D8" --enable-logging --log-level=0 --service-request-channel-token=9775090319448922249 --mojo-platform-channel-handle=1376 /prefetch:8C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1388C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\explorer.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1432"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --no-sandbox --autoplay-policy=no-user-gesture-required --enable-logging --log-level=0 --field-trial-handle=1164,5018469898932602472,3760733780012174991,131072 --disable-gpu-compositing --disable-blink-features=AutomationControlled --lang=en-US --user-data-dir="C:\Users\admin\AppData\Local\Google\Chrome\515184DC-EFC3-4B51-8E69-830A033E97D8" --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5910991331488519053 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1C:\Program Files (x86)\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1916"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1164,5018469898932602472,3760733780012174991,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-logging --ignore-certificate-errors --log-level=0 --ignore-certificate-errors --user-data-dir="C:\Users\admin\AppData\Local\Google\Chrome\515184DC-EFC3-4B51-8E69-830A033E97D8" --enable-logging --log-level=0 --service-request-channel-token=3157825861811207278 --mojo-platform-channel-handle=2636 /prefetch:8C:\Program Files (x86)\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2064"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1164,5018469898932602472,3760733780012174991,131072 --lang=en-US --no-sandbox --no-sandbox --enable-logging --ignore-certificate-errors --log-level=0 --ignore-certificate-errors --user-data-dir="C:\Users\admin\AppData\Local\Google\Chrome\515184DC-EFC3-4B51-8E69-830A033E97D8" --enable-logging --log-level=0 --service-request-channel-token=15702507283700278734 --mojo-platform-channel-handle=3528 /prefetch:8C:\Program Files (x86)\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2132"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\515184DC-EFC3-4B51-8E69-830A033E97D8 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\Google\Chrome\515184DC-EFC3-4B51-8E69-830A033E97D8\Crashpad --metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\515184DC-EFC3-4B51-8E69-830A033E97D8 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x8c,0x90,0x94,0x88,0x98,0x7fef41f3ef8,0x7fef41f3f08,0x7fef41f3f18C:\Program Files (x86)\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2180"C:\Users\admin\AppData\Local\Temp\chromedriver-75.0.3770.100.exe" --port=28829 --verboseC:\Users\admin\AppData\Local\Temp\chromedriver-75.0.3770.100.exerundll32.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\chromedriver-75.0.3770.100.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2256"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --no-sandbox --autoplay-policy=no-user-gesture-required --enable-logging --log-level=0 --field-trial-handle=1164,5018469898932602472,3760733780012174991,131072 --disable-gpu-compositing --disable-blink-features=AutomationControlled --lang=en-US --user-data-dir="C:\Users\admin\AppData\Local\Google\Chrome\515184DC-EFC3-4B51-8E69-830A033E97D8" --disable-client-side-phishing-detection --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4419712460957452835 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2312 /prefetch:1C:\Program Files (x86)\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files (x86)\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
Total events
14 380
Read events
14 244
Write events
132
Delete events
4

Modification events

(PID) Process:(2432) powercfg.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2432) powercfg.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2432) powercfg.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2432) powercfg.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2432) powercfg.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3052) svc32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3052) svc32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3052) svc32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3052) svc32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3052) svc32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000087000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
5
Suspicious files
730
Text files
310
Unknown types
69

Dropped files

PID
Process
Filename
Type
2432powercfg.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-ntkl.etl
MD5:
SHA256:
3064DllHost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
MD5:
SHA256:
2400rundll32.exeC:\Users\admin\AppData\Local\Google\Chrome\515184DC-EFC3-4B51-8E69-830A033E97D8\BrowserMetrics-5F0F055E-914.pma
MD5:
SHA256:
2400rundll32.exeC:\Users\admin\AppData\Local\Google\Chrome\515184DC-EFC3-4B51-8E69-830A033E97D8\BrowserMetrics\BrowserMetrics-5F0F055E-914.pma
MD5:
SHA256:
2400rundll32.exeC:\Users\admin\AppData\Local\Google\Chrome\515184DC-EFC3-4B51-8E69-830A033E97D8\BrowserMetrics-spare.pma
MD5:
SHA256:
3064DllHost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.logbinary
MD5:
SHA256:
3052svc32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:
SHA256:
2400rundll32.exeC:\Users\admin\AppData\Local\{09A9EE59-3F90-45F3-8EF5-83D3AD44352C}.dllexecutable
MD5:
SHA256:
2432powercfg.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.htmlhtml
MD5:
SHA256:
2432powercfg.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-trace.etletl
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
152
TCP/UDP connections
223
DNS requests
32
Threats
154

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2400
rundll32.exe
POST
200
8.210.164.59:80
http://dortyaa.xyz/xs/yt.php?t=11&zs=515184DC-EFC3-4B51-8E69-830A033E97D8&s=
US
suspicious
2400
rundll32.exe
POST
200
8.210.164.59:80
http://dortyaa.xyz/xs/yt.php?t=11&zs=515184DC-EFC3-4B51-8E69-830A033E97D8&s=navigate-done
US
suspicious
2400
rundll32.exe
POST
200
8.210.164.59:80
http://dortyaa.xyz/xs/yt.php?t=11&zs=515184DC-EFC3-4B51-8E69-830A033E97D8&s=navigate-done
US
suspicious
2400
rundll32.exe
POST
200
8.210.164.59:80
http://dortyaa.xyz/xs/yt.php?t=11&zs=515184DC-EFC3-4B51-8E69-830A033E97D8&s=navigate-done
US
suspicious
2400
rundll32.exe
POST
200
8.210.164.59:80
http://dortyaa.xyz/xs/yt.php?t=7&zs=515184DC-EFC3-4B51-8E69-830A033E97D8&s=
US
text
43 b
suspicious
2400
rundll32.exe
POST
200
8.210.164.59:80
http://dortyaa.xyz/xs/yt.php?t=11&zs=515184DC-EFC3-4B51-8E69-830A033E97D8&s=navigate-done
US
suspicious
2400
rundll32.exe
POST
200
8.210.164.59:80
http://dortyaa.xyz/xs/yt.php?t=5&zs=515184DC-EFC3-4B51-8E69-830A033E97D8&s=start
US
text
2 b
suspicious
2400
rundll32.exe
POST
200
8.210.164.59:80
http://dortyaa.xyz/xs/yt.php?t=5&zs=515184DC-EFC3-4B51-8E69-830A033E97D8&s=create-process
US
text
2 b
suspicious
2400
rundll32.exe
POST
200
8.210.164.59:80
http://dortyaa.xyz/xs/yt.php?t=8&zs=515184DC-EFC3-4B51-8E69-830A033E97D8&s=fetch-driver
US
executable
8.00 Mb
suspicious
3052
svc32.exe
GET
200
2.16.216.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1d00d793611aff6d
unknown
compressed
59.9 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3052
svc32.exe
8.210.164.59:443
dortyaa.xyz
Level 3 Communications, Inc.
US
suspicious
1104
chrome.exe
142.250.186.46:443
clients2.google.com
Google Inc.
US
whitelisted
1104
chrome.exe
142.250.185.67:443
update.googleapis.com
Google Inc.
US
whitelisted
3052
svc32.exe
2.16.216.50:80
ctldl.windowsupdate.com
Akamai International B.V.
unknown
1104
chrome.exe
142.250.186.138:443
www.googleapis.com
Google Inc.
US
whitelisted
1104
chrome.exe
142.250.185.99:443
www.gstatic.com
Google Inc.
US
whitelisted
1104
chrome.exe
142.250.185.174:443
android.clients.google.com
Google Inc.
US
whitelisted
1104
chrome.exe
173.194.76.188:5228
mtalk.google.com
Google Inc.
US
whitelisted
1104
chrome.exe
173.194.135.106:443
r5---sn-aigzrn7z.googlevideo.com
Google Inc.
US
whitelisted
1104
chrome.exe
142.250.184.228:443
www.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
dortyaa.xyz
  • 8.210.164.59
suspicious
ctldl.windowsupdate.com
  • 2.16.216.50
  • 2.16.216.40
whitelisted
clients2.google.com
  • 142.250.186.46
whitelisted
www.googleapis.com
  • 142.250.186.138
  • 172.217.18.106
  • 142.250.185.138
  • 216.58.212.170
  • 142.250.185.170
  • 172.217.16.138
  • 142.250.185.234
  • 142.250.186.74
  • 142.250.181.234
  • 142.250.184.202
  • 142.250.184.234
  • 142.250.186.170
  • 142.250.186.42
  • 142.250.185.202
  • 142.250.186.106
  • 142.250.185.106
whitelisted
www.google.com.ua
  • 142.250.185.195
whitelisted
accounts.google.com
  • 142.250.186.109
shared
android.clients.google.com
  • 142.250.186.174
  • 142.250.185.174
  • 142.250.181.238
  • 142.250.186.46
  • 142.250.186.142
  • 142.250.185.206
  • 142.250.185.142
  • 216.58.212.142
  • 142.250.184.206
  • 142.250.185.78
  • 142.250.185.110
  • 142.250.74.206
  • 172.217.16.142
  • 142.250.184.238
  • 172.217.18.110
  • 142.250.185.238
whitelisted
update.googleapis.com
  • 142.250.185.67
whitelisted
mtalk.google.com
  • 173.194.76.188
whitelisted
fonts.googleapis.com
  • 216.58.212.138
whitelisted

Threats

PID
Process
Class
Message
2400
rundll32.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
2400
rundll32.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
2400
rundll32.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
2400
rundll32.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
2400
rundll32.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
2400
rundll32.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2400
rundll32.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
2400
rundll32.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
2400
rundll32.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
2400
rundll32.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
Process
Message
rundll32.exe
PluginRegisterCallbacks start from autorun...
rundll32.exe
CopyFileFromMemory C:\Users\admin\AppData\Local\{09A9EE59-3F90-45F3-8EF5-83D3AD44352C}.dll 0...
rundll32.exe
CopyFileFromMemory: OpenFileMappingA tghry456h45i645trhjde45764586845: success
rundll32.exe
CopyFileFromMemory: MapViewOfFile [0xe4]tghry456h45i645trhjde45764586845 size=1099776: success
rundll32.exe
CopyFileFromMemory: CreateFile C:\Users\admin\AppData\Local\{09A9EE59-3F90-45F3-8EF5-83D3AD44352C}.dll: success
rundll32.exe
CopyFileFromMemory: WriteFile C:\Users\admin\AppData\Local\{09A9EE59-3F90-45F3-8EF5-83D3AD44352C}.dll 1099776 => 1099776: success
rundll32.exe
CopyFileFromMemory C:\Users\admin\AppData\Local\{09A9EE59-3F90-45F3-8EF5-83D3AD44352C}.dll 0 done
rundll32.exe
Setting autorun for C:\Windows\system32\regsvr32.exe /s "C:\Users\admin\AppData\Local\{09A9EE59-3F90-45F3-8EF5-83D3AD44352C}.dll"...
rundll32.exe
Setting autorun for C:\Windows\system32\regsvr32.exe /s "C:\Users\admin\AppData\Local\{09A9EE59-3F90-45F3-8EF5-83D3AD44352C}.dll" done
rundll32.exe
Creating Guid
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
svc32.exe