General Info

File name

qpbxcmwj.exe

Full analysis
https://app.any.run/tasks/0f8d6bbf-e1fa-4155-9f34-ff99c39963a4
Verdict
Malicious activity
Analysis date
3/15/2019, 02:05:12
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
tofsee
miner
trojan
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5

89d949562ec5894165cbd7fd458a3d3a

SHA1

78d11b6e5d0e941a7c998fee9e6cc70a0966b6e2

SHA256

2e814142b2e638b48925b31e247c63cf9dd0b7a989aaacba036a0cd2cfb62681

SSDEEP

3072:Sth2zsukpFDCCB+Nzza4ntz8i3hP75mDY:SYsvRSzautIKQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
MINER was detected
  • svchost.exe (PID: 1020)
Connects to CnC server
  • svchost.exe (PID: 1020)
Uses SVCHOST.EXE for hidden code execution
  • svchost.exe (PID: 4048)
  • hxdwxfve.exe (PID: 3328)
TOFSEE was detected
  • svchost.exe (PID: 4048)
Application was dropped or rewritten from another process
  • hxdwxfve.exe (PID: 3328)
Looks like application has launched a miner
  • svchost.exe (PID: 4048)
Executable content was dropped or overwritten
  • qpbxcmwj.exe (PID: 3840)
  • cmd.exe (PID: 2896)
Creates or modifies windows services
  • svchost.exe (PID: 4048)
Application launched itself
  • svchost.exe (PID: 4048)
Starts CMD.EXE for commands execution
  • qpbxcmwj.exe (PID: 3840)
Uses NETSH.EXE for network configuration
  • qpbxcmwj.exe (PID: 3840)
Connects to SMTP port
  • svchost.exe (PID: 4048)
Creates files in the Windows directory
  • svchost.exe (PID: 4048)
Connects to unusual port
  • svchost.exe (PID: 4048)
Starts SC.EXE for service management
  • qpbxcmwj.exe (PID: 3840)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.dll
|   Win32 Dynamic Link Library (generic) (43.5%)
.exe
|   Win32 Executable (generic) (29.8%)
.exe
|   Generic Win/DOS Executable (13.2%)
.exe
|   DOS Executable Generic (13.2%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2014:10:20 17:41:53+02:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
19968
InitializedDataSize:
76800
UninitializedDataSize:
null
EntryPoint:
0x500c
OSVersion:
5.1
ImageVersion:
5.1
SubsystemVersion:
4
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
20-Oct-2014 15:41:53
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
20-Oct-2014 15:41:53
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00004C28 0x00004E00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 3.6861
.rdata 0x00006000 0x00012549 0x00012600 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.9793
.rsrc 0x00019000 0x00000460 0x00CBCA00 IMAGE_SCN_MEM_READ 5.19023
Resources
1

Imports
    shell32.dll

    cryptdll.dll

    ctl3d32.dll

    authz.dll

    shlwapi.dll

    advapi32.dll

    certcli.dll

    kernel32.dll

    user32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
51
Monitored processes
12
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start qpbxcmwj.exe wusa.exe no specs wusa.exe cmd.exe cmd.exe sc.exe sc.exe sc.exe hxdwxfve.exe no specs #TOFSEE svchost.exe netsh.exe #MINER svchost.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3840
CMD
"C:\Users\admin\AppData\Local\Temp\qpbxcmwj.exe"
Path
C:\Users\admin\AppData\Local\Temp\qpbxcmwj.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\qpbxcmwj.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\ctl3d32.dll
c:\windows\system32\authz.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\certcli.dll
c:\windows\system32\atl.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wusa.exe
c:\windows\system32\mpr.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll

PID
2940
CMD
"C:\Windows\System32\wusa.exe"
Path
C:\Windows\System32\wusa.exe
Indicators
No indicators
Parent process
qpbxcmwj.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Windows Update Standalone Installer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll

PID
3664
CMD
"C:\Windows\System32\wusa.exe"
Path
C:\Windows\System32\wusa.exe
Indicators
Parent process
qpbxcmwj.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Update Standalone Installer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dpx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll

PID
2204
CMD
cmd /C mkdir C:\Windows\system32\zqtmkris\
Path
C:\Windows\system32\cmd.exe
Indicators
Parent process
qpbxcmwj.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2896
CMD
cmd /C move /Y "C:\Users\admin\AppData\Local\Temp\hxdwxfve.exe" C:\Windows\system32\zqtmkris\
Path
C:\Windows\system32\cmd.exe
Indicators
Parent process
qpbxcmwj.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3596
CMD
sc create zqtmkris binPath= "C:\Windows\system32\zqtmkris\hxdwxfve.exe /d\"C:\Users\admin\AppData\Local\Temp\qpbxcmwj.exe\"" type= own start= auto DisplayName= "wifi support"
Path
C:\Windows\system32\sc.exe
Indicators
Parent process
qpbxcmwj.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
2220
CMD
sc description zqtmkris "wifi internet conection"
Path
C:\Windows\system32\sc.exe
Indicators
Parent process
qpbxcmwj.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
2876
CMD
sc start zqtmkris
Path
C:\Windows\system32\sc.exe
Indicators
Parent process
qpbxcmwj.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3328
CMD
C:\Windows\system32\zqtmkris\hxdwxfve.exe /d"C:\Users\admin\AppData\Local\Temp\qpbxcmwj.exe"
Path
C:\Windows\system32\zqtmkris\hxdwxfve.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\zqtmkris\hxdwxfve.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\ctl3d32.dll
c:\windows\system32\authz.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\certcli.dll
c:\windows\system32\atl.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll

PID
4048
CMD
svchost.exe
Path
C:\Windows\system32\svchost.exe
Indicators
Parent process
hxdwxfve.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\secur32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\upnp.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ssdpapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\psapi.dll
c:\windows\system32\apphelp.dll

PID
3944
CMD
netsh advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\system32\svchost.exe" enable=yes>nul
Path
C:\Windows\system32\netsh.exe
Indicators
Parent process
qpbxcmwj.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\rasmontr.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\odbcint.dll
c:\windows\system32\nshwfp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\slc.dll
c:\windows\system32\dhcpcmonitor.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpqec.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\wshelper.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\nshhttp.dll
c:\windows\system32\httpapi.dll
c:\windows\system32\fwcfg.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll
c:\windows\system32\authfwcfg.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\winipsec.dll
c:\windows\system32\ifmon.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\nci.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\netiohlp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\whhelper.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\hnetmon.dll
c:\windows\system32\netshell.dll
c:\windows\system32\shell32.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rpcnsh.dll
c:\windows\system32\dot3cfg.dll
c:\windows\system32\dot3api.dll
c:\windows\system32\atl.dll
c:\windows\system32\eappcfg.dll
c:\windows\system32\onex.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\napmontr.dll
c:\windows\system32\certcli.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\nshipsec.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\activeds.dll
c:\windows\system32\adsldpc.dll
c:\windows\system32\polstore.dll
c:\windows\system32\nettrace.dll
c:\windows\system32\ndfapi.dll
c:\windows\system32\wdi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\tdh.dll
c:\windows\system32\wcnnetsh.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\p2pnetsh.dll
c:\windows\system32\p2p.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\wlancfg.dll
c:\windows\system32\wlanhlp.dll
c:\windows\system32\wwancfg.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\peerdistsh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\qagent.dll
c:\windows\system32\napipsec.dll
c:\windows\system32\tsgqec.dll
c:\windows\system32\eapqec.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\bcryptprimitives.dll

PID
1020
CMD
svchost.exe -a cryptonight-heavy --variant tube -o stratum+tcp://185.212.129.80:8087 -u 1 -p x --nicehash --safe
Path
C:\Windows\system32\svchost.exe
Indicators
Parent process
svchost.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll

Registry activity

Total events
158
Read events
94
Write events
64
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3840
qpbxcmwj.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3840
qpbxcmwj.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
4048
svchost.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\zqtmkris
ImagePath
C:\Windows\system32\zqtmkris\hxdwxfve.exe
4048
svchost.exe
write
HKEY_USERS\.DEFAULT\Control Panel\Buses
Config0
3C37573DEC17900824EDB47D450DD49D084297DCE82E72BAA49822FD707B421D8C24F4E781CD945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56916DB87457538E0AD644490BDB57822ED965802CDF2B554758DF21D5904FCA66915D88345773FE29D084295D9E13F4BB4C06D06FDADFD5430D59C43053DF8A0681DDEB40E367B8BE90D4091BDB5742DEE955E03CFF2BC54718BCE15515BB9FD3041ED8549763BE7A55518C08984A934DAA485EEF9918D541DE4AC743D04BAFB2F4FB2C70F320DD49D642DF4BD84584131F0E734FDC48D57D1F6AE743D04CCA1731DC3874F6A3CE2AB642DF4BD844D14DDA46D34FDC48D541DE4AD743D04CD945D24EDB47D440DD49D642DF4BD844D14DDA46D34FDC48D541DE4AD743D04CD705C24EDB5497723E6AE5503C093B24D14DDA46D34FDC48D541DE4AD743D04CD945D24EDB47D440DD49D642DF4BD844D14DDA46D34FDC48D541DE4AD743D04CD945D24EDB49D450DD4
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-100
DHCP Quarantine Enforcement Client
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-101
Provides DHCP based enforcement for NAP
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-103
1.0
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-102
Microsoft Corporation
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-1
IPsec Relying Party
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-2
Provides IPsec based enforcement for Network Access Protection
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-4
1.0
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-3
Microsoft Corporation
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-100
RD Gateway Quarantine Enforcement Client
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-101
Provides RD Gateway enforcement for NAP
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-102
1.0
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-103
Microsoft Corporation
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-100
EAP Quarantine Enforcement Client
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-101
Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies.
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-102
1.0
3944
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-103
Microsoft Corporation

Files activity

Executable files
2
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2896
cmd.exe
C:\Windows\system32\zqtmkris\hxdwxfve.exe
executable
MD5: ffcbad2011564723ec3036b831c6164c
SHA256: a2be0d8867148d78799995f9398662ea63e4a8b675f4ea7c35cb4c7c4fc10f9b
3840
qpbxcmwj.exe
C:\Users\admin\AppData\Local\Temp\hxdwxfve.exe
executable
MD5: ffcbad2011564723ec3036b831c6164c
SHA256: a2be0d8867148d78799995f9398662ea63e4a8b675f4ea7c35cb4c7c4fc10f9b
4048
svchost.exe
C:\Windows\system32\config\systemprofile:.repos
binary
MD5: 4f12e8325d5d81a69c5b7200632def20
SHA256: 5f14f0647350fc874da972d90670eb2eddff1d6d3fb033889a9091c0ae789bf7
4048
svchost.exe
C:\Windows\system32\config\systemprofile:.repos
binary
MD5: d7e72e135cc86a4e616142663ada06be
SHA256: 6ca4d7deea51d8b4f5a825bf3e8a2262d4d219bd3550415c1f1a74e21287edb8

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
5
TCP/UDP connections
35
DNS requests
37
Threats
14

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
4048 svchost.exe GET 302 216.58.210.4:80 http://www.google.com/ US
html
whitelisted
4048 svchost.exe GET 302 216.58.210.4:80 http://www.google.com/ US
html
whitelisted
4048 svchost.exe GET 302 216.58.210.4:80 http://www.google.com/ US
html
whitelisted
4048 svchost.exe GET 302 216.58.210.4:80 http://www.google.com/ US
html
whitelisted
4048 svchost.exe GET 302 216.58.210.4:80 http://www.google.com/ US
html
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
4048 svchost.exe 104.215.148.63:80 Microsoft Corporation SG unknown
4048 svchost.exe 104.47.54.36:25 Microsoft Corporation US unknown
4048 svchost.exe 43.231.4.7:443 Gigabit Hosting Sdn Bhd MY malicious
4048 svchost.exe 67.195.229.58:25 Yahoo US unknown
4048 svchost.exe 5.9.32.166:484 Hetzner Online GmbH DE malicious
–– –– 177.153.23.241:25 Locaweb Serviços de Internet S/A BR unknown
–– –– 98.136.101.117:25 Yahoo US unknown
–– –– 185.212.129.80:8087 Virtual Trade Ltd NL suspicious
–– –– 205.193.229.132:25 Shared Services Canada CA unknown
–– –– 184.150.200.210:25 Bell Canada CA unknown
–– –– 35.162.106.154:25 Amazon.com, Inc. US unknown
–– –– 213.209.1.129:25 Italiaonline S.p.A. IT unknown
–– –– 212.227.15.9:25 1&1 Internet SE DE unknown
–– –– 68.87.20.5:25 Comcast Cable Communications, LLC US unknown
–– –– 104.47.2.33:25 Microsoft Corporation IE whitelisted
–– –– 104.47.12.33:25 Microsoft Corporation IE whitelisted
–– –– 148.163.143.65:25 Proofpoint, Inc. US unknown
4048 svchost.exe 173.194.202.26:25 Google Inc. US whitelisted
4048 svchost.exe 144.76.199.43:420 Hetzner Online GmbH DE malicious
4048 svchost.exe 144.76.199.2:420 Hetzner Online GmbH DE malicious
4048 svchost.exe 85.25.119.25:420 Host Europe GmbH DE malicious
4048 svchost.exe 176.111.49.43:420 United Networks of Ukraine, Ltd UA malicious
4048 svchost.exe 46.4.52.109:420 Hetzner Online GmbH DE unknown
4048 svchost.exe 216.58.210.4:80 Google Inc. US whitelisted
4048 svchost.exe 54.71.111.34:443 Amazon.com, Inc. US unknown

DNS requests

Domain IP Reputation
microsoft.com 104.215.148.63
13.77.161.179
40.76.4.15
40.112.72.205
40.113.200.201
whitelisted
microsoft-com.mail.protection.outlook.com 104.47.54.36
shared
yahoo.com No response whitelisted
mta7.am0.yahoodns.net 67.195.229.58
74.6.137.65
98.137.159.26
67.195.228.141
66.218.85.52
98.136.101.117
98.137.159.24
74.6.137.63
unknown
185.186.148.159.dnsbl.sorbs.net No response unknown
ig.com.br No response whitelisted
185.186.148.159.bl.spamcop.net No response unknown
185.186.148.159.zen.spamhaus.org No response unknown
185.186.148.159.sbl-xbl.spamhaus.org No response unknown
mx1.ig.correio.biz 177.153.23.241
unknown
metorex.fi No response unknown
185.186.148.159.cbl.abuseat.org 127.0.0.2
unknown
sympatico.ca No response unknown
mx.ssan.seg-egs.gc.ca 205.193.229.132
unknown
pwgsc.gc.ca No response unknown
mxmta.owm.bell.net 184.150.200.210
unknown
yahoo.ca No response unknown
cox.net No response whitelisted
cxr.mx.a.cloudfilter.net 35.162.106.154
18.209.118.139
34.212.80.54
52.73.137.222
unknown
gmx.net No response whitelisted
mx00.emig.gmx.net 212.227.15.9
unknown
libero.it No response whitelisted
smtp-in.libero.it 213.209.1.129
unknown
comcast.net No response whitelisted
mx2.comcast.net 68.87.20.5
unknown
live.it No response unknown
eur.olc.protection.outlook.com 104.47.2.33
104.47.0.33
whitelisted
hotmail.com No response malicious
hotmail-com.olc.protection.outlook.com 104.47.12.33
104.47.14.33
shared
mx0b-0016dd01.pphosted.com 148.163.143.65
unknown
mckesson.com No response whitelisted
google.com No response whitelisted
alt4.aspmx.l.google.com 173.194.202.26
whitelisted
www.google.com 216.58.210.4
whitelisted
www.netflix.com 54.71.111.34
34.208.21.204
52.42.228.237
35.160.180.148
52.11.24.193
35.166.68.183
34.209.185.102
54.71.93.100
whitelisted

Threats

PID Process Class Message
4048 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Tofsee.bot
4048 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Tofsee.bot
1020 svchost.exe Potential Corporate Privacy Violation ET POLICY Cryptocurrency Miner Checkin
1020 svchost.exe Misc activity MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response
1020 svchost.exe Misc activity MINER [PTsecurity] Risktool.W32.coinminer!c
1020 svchost.exe Misc activity MINER [PTsecurity] CoinMiner CryptoNight algo JSON_RPC server Response
1020 svchost.exe Misc activity MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response
1020 svchost.exe Misc activity MINER [PTsecurity] Risktool.W32.coinminer!c
1020 svchost.exe Misc activity MINER [PTsecurity] CoinMiner CryptoNight algo JSON_RPC server Response

5 ETPRO signatures available at the full report

Debug output strings

No debug info.