analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

paranor.7z

Full analysis: https://app.any.run/tasks/85c60484-e163-4288-add9-ac00195e8acf
Verdict: Malicious activity
Analysis date: August 08, 2024, 08:43:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
vmprotect
upx
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

3D234118EACD7EC9FFEBED5B00827A5F

SHA1:

6272ABB9F0E7D391EBA4FE22A416EF8CEF77BAC9

SHA256:

30F4561861E99D1B04D30395A4A671D9291EF1A2261FC22E7F8C80B1E9EA43B7

SSDEEP:

98304:KVPflCFjd+dDxmo6kZVQ/BpEmi8ovZmbLHSJQTBRGBZxTmkJX7cPjEHncCR5rmK2:tSxqeQY72

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6700)
      • Client.exe (PID: 3372)
      • install.exe (PID: 2224)
      • GBFF Client.exe (PID: 4064)
      • 123.exe (PID: 7100)

    • Scans artifacts that could help determine the target

      • Client.exe (PID: 3180)

    • Connects to the CnC server

      • 히든 디도스 클라이언트.exe (PID: 6388)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • Client.exe (PID: 3180)
      • install.exe (PID: 2224)
      • Client.exe (PID: 3372)
      • GBFF Client.exe (PID: 4064)
      • 123.exe (PID: 7100)

    • Executable content was dropped or overwritten

      • install.exe (PID: 2224)
      • Client.exe (PID: 3372)
      • GBFF Client.exe (PID: 4064)
      • 123.exe (PID: 7100)

    • Reads security settings of Internet Explorer

      • Client.exe (PID: 3372)
      • Client.exe (PID: 3180)
      • Build.exe (PID: 252)
      • GBFF Client.exe (PID: 4064)

    • Reads the date of Windows installation

      • Client.exe (PID: 3372)
      • GBFF Client.exe (PID: 4064)

    • Executes as Windows Service

      • xonvom.exe (PID: 6216)
      • hydjuc.exe (PID: 5656)

    • Reads Microsoft Outlook installation path

      • Client.exe (PID: 3180)

    • Checks Windows Trust Settings

      • Client.exe (PID: 3180)

    • Reads Internet Explorer settings

      • Client.exe (PID: 3180)

    • Creates or modifies Windows services

      • install.exe (PID: 2224)
      • 123.exe (PID: 7100)

    • Contacting a server suspected of hosting an CnC

      • 히든 디도스 클라이언트.exe (PID: 6388)

  • INFO

    • Manual execution by a user

      • Client.exe (PID: 4644)
      • Client.exe (PID: 3372)
      • 无情修改版.exe (PID: 3160)
      • 无情修改版.exe (PID: 6188)
      • Client.exe (PID: 1236)
      • Build.exe (PID: 7112)
      • 无情修改版.exe (PID: 6384)
      • gogi.exe (PID: 6408)
      • Client.exe (PID: 1432)
      • GBFF Client.exe (PID: 7036)
      • Build.exe (PID: 6576)
      • GBFF Builder.exe (PID: 6696)
      • Build.exe (PID: 252)
      • 히든 디도스 클라이언트.exe (PID: 6396)
      • GBFF Client.exe (PID: 4064)
      • 히든 디도스 클라이언트.exe (PID: 6388)

    • Checks supported languages

      • install.exe (PID: 2224)
      • Client.exe (PID: 3180)
      • Client.exe (PID: 3372)
      • xonvom.exe (PID: 6216)
      • Client.exe (PID: 1236)
      • gogi.exe (PID: 6408)
      • 无情修改版.exe (PID: 6384)
      • Client.exe (PID: 1432)
      • Build.exe (PID: 7112)
      • 无情修改版.exe (PID: 3160)
      • Build.exe (PID: 6576)
      • 히든 디도스 클라이언트.exe (PID: 6388)
      • Build.exe (PID: 252)
      • GBFF Client.exe (PID: 4064)
      • GBFF Builder.exe (PID: 6696)
      • 123.exe (PID: 7100)
      • GBFF Client.exe (PID: 7160)
      • hydjuc.exe (PID: 5656)

    • Process checks computer location settings

      • Client.exe (PID: 3372)
      • GBFF Client.exe (PID: 4064)

    • Reads the computer name

      • Client.exe (PID: 3372)
      • install.exe (PID: 2224)
      • xonvom.exe (PID: 6216)
      • Client.exe (PID: 3180)
      • 无情修改版.exe (PID: 6384)
      • Client.exe (PID: 1432)
      • 无情修改版.exe (PID: 3160)
      • Build.exe (PID: 7112)
      • gogi.exe (PID: 6408)
      • Client.exe (PID: 1236)
      • GBFF Builder.exe (PID: 6696)
      • 히든 디도스 클라이언트.exe (PID: 6388)
      • Build.exe (PID: 252)
      • GBFF Client.exe (PID: 4064)
      • GBFF Client.exe (PID: 7160)
      • Build.exe (PID: 6576)
      • 123.exe (PID: 7100)
      • hydjuc.exe (PID: 5656)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6700)

    • Reads Environment values

      • xonvom.exe (PID: 6216)
      • hydjuc.exe (PID: 5656)

    • Reads the machine GUID from the registry

      • Client.exe (PID: 3180)

    • Reads the software policy settings

      • Client.exe (PID: 3180)
      • 히든 디도스 클라이언트.exe (PID: 6388)

    • Reads CPU info

      • xonvom.exe (PID: 6216)
      • hydjuc.exe (PID: 5656)

    • Checks proxy server information

      • Client.exe (PID: 3180)

    • Creates files or folders in the user directory

      • Client.exe (PID: 3180)

    • Process checks Internet Explorer phishing filters

      • Client.exe (PID: 3180)

    • VMProtect protector has been detected

      • xonvom.exe (PID: 6216)
      • GBFF Client.exe (PID: 7160)
      • hydjuc.exe (PID: 5656)

    • Create files in a temporary directory

      • 히든 디도스 클라이언트.exe (PID: 6388)

    • UPX packer has been detected

      • Build.exe (PID: 252)
      • GBFF Client.exe (PID: 7160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
24
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe client.exe no specs client.exe client.exe install.exe THREAT xonvom.exe no specs rundll32.exe no specs 无情修改版.exe no specs 无情修改版.exe 无情修改版.exe gogi.exe client.exe client.exe build.exe no specs THREAT build.exe no specs build.exe no specs 히든 디도스 클라이언트.exe no specs 히든 디도스 클라이언트.exe gbff builder.exe no specs gbff client.exe no specs gbff client.exe THREAT gbff client.exe no specs 123.exe THREAT hydjuc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6700"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\paranor.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4644"C:\Users\admin\Desktop\Client.exe" C:\Users\admin\Desktop\Client.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3372"C:\Users\admin\Desktop\Client.exe" C:\Users\admin\Desktop\Client.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
3180"C:\Client.exe" C:\Client.exe
Client.exe
User:
admin
Integrity Level:
HIGH
Description:
Client Microsoft 基础类应用程序
Exit code:
2
Version:
1, 0, 0, 1
Modules
Images
c:\client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
2224"C:\install.exe" C:\install.exe
Client.exe
User:
admin
Company:
Anonymous
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6216C:\WINDOWS\SysWOW64\xonvom.exeC:\Windows\SysWOW64\xonvom.exe
services.exe
User:
SYSTEM
Company:
Anonymous
Integrity Level:
SYSTEM
Modules
Images
c:\windows\syswow64\xonvom.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
6252C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6188"C:\Users\admin\Desktop\无情修改版\无情修改版.exe" C:\Users\admin\Desktop\无情修改版\无情修改版.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\无情修改版\无情修改版.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6384"C:\Users\admin\Desktop\无情修改版\无情修改版.exe" C:\Users\admin\Desktop\无情修改版\无情修改版.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
Modules
Images
c:\users\admin\desktop\无情修改版\无情修改版.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
3160"C:\Users\admin\Desktop\无情修改版\无情修改版.exe" C:\Users\admin\Desktop\无情修改版\无情修改版.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
Modules
Images
c:\users\admin\desktop\无情修改版\无情修改版.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
20 620
Read events
20 466
Write events
146
Delete events
8

Modification events

(PID) Process:(6700) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6700) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6700) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6700) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\paranor.7z
(PID) Process:(6700) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6700) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6700) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6700) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6700) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(6700) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
20
Suspicious files
8
Text files
13
Unknown types
1

Dropped files

PID
Process
Filename
Type
6700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\2012 Gold Black FireFox DDoS VIP Ver Client\Server\Server.Datexecutable
MD5:9568F27B0C865FDF809E56461CE3E79A
SHA256:1D27CA678F1B2C29BDF208210D2507D2F020AEE251A23B47593B1E6522B3D27F
6700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\2012 Gold Black FireFox DDoS VIP Ver Client\GBFF Builder.exeexecutable
MD5:324085C69635BA459100210EB21D3453
SHA256:2DD2829B35502D2E030272D09D430A8FEECEAB5C1C07B61F76ED156C62991F70
6700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\无情修改版\dat\Cache.datexecutable
MD5:61A2FE475E0EC4C19ACCBE268FDAA219
SHA256:A3F99793B01ED4549C6973356F20697CEC5FDC1090C2B2826AC037350C5764FD
6700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\카스툴패킷강화\카스툴패킷강화\소울찬양[참고].txttext
MD5:FE7A96FA2F06B54CC01A8FFF54915A40
SHA256:E6DB999163ADB8BE9403EC7B5DD6E3E9FD97D441C534C36503AA542D1CF3334B
6700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\Client.exeexecutable
MD5:1D384E50EC0A53B85B55D5DDED293103
SHA256:14766A7201B0827932C85C2D6EB126A0E9D06C2F69104674C7413227F947BAEF
6700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\고기툴 2.0 ver\gogi.dllexecutable
MD5:75981EC1E63555A0AF71F72268D133CF
SHA256:4D1C67472BC1C788166732447E9AAC102486FD908CBC7E125D3878254BCE9D41
6700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\디도스+프로그램\제품설명.txttext
MD5:6B60E61FDBCAC4CBAB187E429CCE3E18
SHA256:2B7193DAAE6120BD0833977F29FB0B3330BE60D60A3FE83FF098A0D32A13D631
6700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\无情修改版\Setting.initext
MD5:64E5A53729D662DC9DD2F0B8F7044BCE
SHA256:3749EADDCF1C468C0B98B067B8BF800C8E6CC3FD273DB405899AD9E91DF8F131
6700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\2012 Gold Black FireFox DDoS VIP Ver Client\Server\Server2.rarcompressed
MD5:A7A854166EB85FB9A6C4A4599556546A
SHA256:DC596A1257E7723D409B60BE340468A4703B779790D90D13A741B917BDF16493
6700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6700.42616\2012 Gold Black FireFox DDoS VIP Ver Client\Client.iniini
MD5:FC5B5A6BBE21A3E2E141EF011BE7C9A6
SHA256:F8A4D87F4D83F0800D5F747D5CFACCAF5FDC2792BE99FF0571191A781C54EBFE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
46
DNS requests
63
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6388
히든 디도스 클라이언트.exe
GET
302
23.206.208.172:80
http://blog.naver.com/PostView.nhn?blogId=enoch_rvn&logNo=50129408978&parentCategoryNo=1&viewDate=&currentPage=1&listtype=0&userTopListOpen=false&userTopListCount=5&userTopListManageOpen=false&userTopListCurrentPage=undefined
unknown
unknown
3180
Client.exe
GET
200
38.174.232.2:80
http://www.okddos.cn/
unknown
unknown
6376
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
3180
Client.exe
GET
200
38.174.232.2:80
http://www.okddos.cn/tj.js
unknown
unknown
5244
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
3180
Client.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D
unknown
unknown
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
6352
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
3180
Client.exe
GET
200
104.18.21.226:80
http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3D
unknown
unknown
3180
Client.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/gsrsaovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRrcGT%2BanRD3C1tW3nsrKeuXC7DPwQU%2BO9%2F8s14Z6jeb48kjYjxhwMCs%2BsCDE5AA6ZetoH4f0vY6w%3D%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
2680
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
876
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5336
SearchApp.exe
92.123.104.66:443
www.bing.com
Akamai International B.V.
DE
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5244
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.212.142
whitelisted
www.bing.com
  • 92.123.104.66
  • 92.123.104.11
  • 92.123.104.10
  • 92.123.104.8
  • 92.123.104.67
  • 92.123.104.7
  • 92.123.104.5
  • 92.123.104.9
  • 92.123.104.4
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.140
  • 20.190.160.17
  • 40.126.32.74
  • 20.190.160.20
  • 40.126.32.134
  • 40.126.32.68
  • 40.126.32.133
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted
th.bing.com
  • 92.123.104.66
  • 92.123.104.6
  • 92.123.104.9
  • 92.123.104.4
  • 92.123.104.7
  • 92.123.104.5
  • 92.123.104.65
  • 92.123.104.11
  • 92.123.104.10
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
competitionkill.codns.com
unknown

Threats

PID
Process
Class
Message
6388
히든 디도스 클라이언트.exe
Malware Command and Control Activity Detected
ET MALWARE W32/Mepaow.Backdoor Initial Checkin to Intermediary Pre-CnC
6388
히든 디도스 클라이언트.exe
Potentially Bad Traffic
ET INFO Referrer-Policy set to unsafe-url
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
paranor.7z