File name:

o.exe

Full analysis: https://app.any.run/tasks/ce26e33b-6f4b-4b6d-9e80-b22ef16a3507
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 07, 2019, 19:29:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
miner
loader
trojan
phorpiex
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

090825B51B1C9C88CCE0F5E0B5436F8A

SHA1:

8699B3BF9580DD7FB97CF661E42931CCF0702B09

SHA256:

453375371A20EFAE3AC33601B2876E19D00B0D9CC5F77BA137C596FCBC872DEC

SSDEEP:

3072:35B3EdmqwLpHIPugFyZYqNsdmEQbDvNC3JeuGJk61F6U:pB0dmJCWgFyZYHmfDVC5+JiU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • o.exe (PID: 3160)
      • dc.exe (PID: 3468)

    • Changes Security Center notification settings

      • winsvcs.exe (PID: 3260)

    • Disables Windows System Restore

      • winsvcs.exe (PID: 3260)

    • Application was dropped or rewritten from another process

      • dc.exe (PID: 3468)
      • vcpkgsrv.exe (PID: 2680)
      • vcpkgsrv.exe (PID: 2968)
      • vcpkgsrv.exe (PID: 2156)
      • 3085113621.exe (PID: 2396)
      • 1489615557.exe (PID: 3888)
      • vcpkgsrv.exe (PID: 5536)

    • Disables Windows Defender Real-time monitoring

      • winsvcs.exe (PID: 3260)

    • Uses Task Scheduler to run other applications

      • vcpkgsrv.exe (PID: 2680)

    • Connects to CnC server

      • vcpkgsrv.exe (PID: 2680)
      • wuapp.exe (PID: 4208)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3832)

    • MINER was detected

      • vcpkgsrv.exe (PID: 2680)
      • wuapp.exe (PID: 4208)

    • Downloads executable files from the Internet

      • chrome.exe (PID: 3740)
      • winsvcs.exe (PID: 3260)

    • Downloads executable files from IP

      • winsvcs.exe (PID: 3260)

    • PHORPIEX was detected

      • 3085113621.exe (PID: 2396)

  • SUSPICIOUS

    • Starts itself from another location

      • o.exe (PID: 3160)
      • dc.exe (PID: 3468)
      • winsvcs.exe (PID: 3260)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2180)
      • iexplore.exe (PID: 3684)
      • dc.exe (PID: 3468)
      • o.exe (PID: 3160)
      • winsvcs.exe (PID: 3260)
      • chrome.exe (PID: 3740)
      • 3085113621.exe (PID: 2396)

    • Creates files in the user directory

      • winsvcs.exe (PID: 3260)
      • dc.exe (PID: 3468)
      • vcpkgsrv.exe (PID: 2680)
      • vcpkgsrv.exe (PID: 2968)
      • vcpkgsrv.exe (PID: 2156)

    • Connects to unusual port

      • vcpkgsrv.exe (PID: 2680)
      • wuapp.exe (PID: 4208)
      • winsvcs.exe (PID: 3260)

    • Creates files in the program directory

      • 3085113621.exe (PID: 2396)

    • Starts CMD.EXE for commands execution

      • 3085113621.exe (PID: 2396)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3684)
      • chrome.exe (PID: 3740)

    • Changes internet zones settings

      • iexplore.exe (PID: 3684)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2180)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2180)
      • iexplore.exe (PID: 3684)
      • chrome.exe (PID: 3740)

    • Reads settings of System Certificates

      • chrome.exe (PID: 3740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:07:12 03:35:29+02:00
PEType: PE32
LinkerVersion: 9
CodeSize: 118784
InitializedDataSize: 12288
UninitializedDataSize: 249856
EntryPoint: 0x5acb0
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x004f
FileFlags: (none)
FileOS: Unknown (0x40534)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (457A)
CharacterSet: Unknown (A56B)
FileVersion: 10.1.5.71

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 12-Jul-2018 01:35:29

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 12-Jul-2018 01:35:29
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x0003D000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x0003E000
0x0001D000
0x0001D000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.82566
.rsrc
0x0005B000
0x00003000
0x00002600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.87637

Imports

GDI32.dll
KERNEL32.DLL
SHELL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
34
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start o.exe winsvcs.exe iexplore.exe iexplore.exe dc.exe #MINER vcpkgsrv.exe schtasks.exe no specs vcpkgsrv.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs vcpkgsrv.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs 1694511834.exe no specs #PHORPIEX 3085113621.exe 1489615557.exe no specs #MINER wuapp.exe vcpkgsrv.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1104"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=904,17859955010091690098,12563873527906494994,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=7D20A7B948870B9B7B7F0D493972E480 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7D20A7B948870B9B7B7F0D493972E480 --renderer-client-id=17 --mojo-platform-channel-handle=4848 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2156C:\Users\admin\AppData\Roaming\Charset\vcpkgsrv.exe C:\Users\admin\AppData\Roaming\Charset\vcpkgsrv.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Performance Center
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\appdata\roaming\charset\vcpkgsrv.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2180"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3684 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2316"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=904,17859955010091690098,12563873527906494994,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=D812FDC24EEBCCF526847ED69BA5118D --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=D812FDC24EEBCCF526847ED69BA5118D --renderer-client-id=10 --mojo-platform-channel-handle=2280 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2396C:\Users\admin\AppData\Local\Temp\3085113621.exeC:\Users\admin\AppData\Local\Temp\3085113621.exe
winsvcs.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\3085113621.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2440"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=904,17859955010091690098,12563873527906494994,131072 --enable-features=PasswordImport --service-pipe-token=99BA1CB92B624DCF1A8D308767E51652 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=99BA1CB92B624DCF1A8D308767E51652 --renderer-client-id=5 --mojo-platform-channel-handle=1872 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2476"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x701400b0,0x701400c0,0x701400ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\user32.dll
2680"C:\Users\admin\AppData\Roaming\Charset\vcpkgsrv.exe"C:\Users\admin\AppData\Roaming\Charset\vcpkgsrv.exe
dc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Performance Center
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\appdata\roaming\charset\vcpkgsrv.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2808"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=904,17859955010091690098,12563873527906494994,131072 --enable-features=PasswordImport --service-pipe-token=AAA027971FD21F7DBEFCFEA2ED2FD1D2 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=AAA027971FD21F7DBEFCFEA2ED2FD1D2 --renderer-client-id=3 --mojo-platform-channel-handle=2068 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2856"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=904,17859955010091690098,12563873527906494994,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=08429FD338D0C8D707CA120E938AE83B --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=08429FD338D0C8D707CA120E938AE83B --renderer-client-id=7 --mojo-platform-channel-handle=3824 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
Total events
1 796
Read events
1 545
Write events
242
Delete events
9

Modification events

(PID) Process:(3160) o.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft Windows Services
Value:
C:\Users\admin\7008574050860\winsvcs.exe
(PID) Process:(3160) o.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft Windows Services
Value:
C:\Users\admin\7008574050860\winsvcs.exe
(PID) Process:(3260) winsvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
Operation:writeName:DisableScanOnRealtimeEnable
Value:
1
(PID) Process:(3260) winsvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
Operation:writeName:DisableOnAccessProtection
Value:
1
(PID) Process:(3260) winsvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
Operation:writeName:DisableBehaviorMonitoring
Value:
1
(PID) Process:(3260) winsvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
Operation:writeName:AntiVirusOverride
Value:
1
(PID) Process:(3260) winsvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
Operation:writeName:UpdatesOverride
Value:
1
(PID) Process:(3260) winsvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
Operation:writeName:FirewallOverride
Value:
1
(PID) Process:(3260) winsvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
Operation:writeName:AntiVirusDisableNotify
Value:
1
(PID) Process:(3260) winsvcs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
Operation:writeName:UpdatesDisableNotify
Value:
1
Executable files
15
Suspicious files
97
Text files
147
Unknown types
8

Dropped files

PID
Process
Filename
Type
3684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3684iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFAAB905C3A53C8F4B.TMP
MD5:
SHA256:
3684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{4BBB6F4B-AC5C-11E8-969E-5254004AAD11}.dat
MD5:
SHA256:
3684iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFCDD6ABA7317E7171.TMP
MD5:
SHA256:
3684iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF01766EB41662CC3C.TMP
MD5:
SHA256:
3684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{CD294EE9-2B0E-11E9-AA93-5254004A04AF}.dat
MD5:
SHA256:
2680vcpkgsrv.exeC:\Users\admin\AppData\Roaming\Charset\chrome_cache.temp
MD5:
SHA256:
3160o.exeC:\Users\admin\7008574050860\winsvcs.exeexecutable
MD5:
SHA256:
3260winsvcs.exeC:\Users\admin\AppData\Local\Temp\Windows Archive Manager.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
2 585
DNS requests
187
Threats
108

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3260
winsvcs.exe
GET
195.22.26.248:80
http://eiufhiedniuneg.ru/NEW=1
PT
malicious
2180
iexplore.exe
GET
188.120.224.18:80
http://stilman.info/dc.exe
RU
malicious
3260
winsvcs.exe
GET
195.22.26.248:80
http://seiiamefiaigae.ru/NEW=1
PT
malicious
3740
chrome.exe
GET
302
216.239.32.21:80
http://virustotal.com/en
US
whitelisted
3260
winsvcs.exe
GET
92.63.197.153:80
http://92.63.197.153/1.exe
RU
malicious
3260
winsvcs.exe
GET
92.63.197.153:80
http://92.63.197.153/2.exe
RU
malicious
3260
winsvcs.exe
GET
92.63.197.153:80
http://92.63.197.153/3.exe
RU
malicious
3260
winsvcs.exe
GET
92.63.197.153:80
http://92.63.197.153/v.exe
RU
malicious
3740
chrome.exe
GET
200
188.120.224.18:80
http://stilman.info/dc.exe
RU
executable
6.85 Mb
malicious
3740
chrome.exe
GET
301
185.85.15.30:80
http://virusdesk.kaspersky.com/
RU
html
155 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3260
winsvcs.exe
92.63.197.153:80
RU
malicious
3684
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2180
iexplore.exe
188.120.224.18:80
stilman.info
JSC ISPsystem
RU
malicious
3260
winsvcs.exe
195.22.26.248:80
eiufhiedniuneg.ru
Claranet Ltd
PT
malicious
3740
chrome.exe
216.58.205.227:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2680
vcpkgsrv.exe
23.82.128.59:1338
Nobis Technology Group, LLC
US
suspicious
3740
chrome.exe
172.217.22.3:443
www.google.de
Google Inc.
US
whitelisted
3740
chrome.exe
172.217.16.163:443
www.gstatic.com
Google Inc.
US
whitelisted
3740
chrome.exe
172.217.21.202:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3740
chrome.exe
172.217.21.227:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
sefuhsuifhishf.ru
malicious
fieooeoafheifi.ru
malicious
ffoeefsheuesih.ru
malicious
sisfiusnrsruis.ru
malicious
srgsifijsjigjh.ru
malicious
eaojefiuaugueu.ru
malicious
ofeideinieghih.ru
malicious
sfuhseidueiihf.ru
malicious
sriuedueiuiefg.ru
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
2180
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2180
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2680
vcpkgsrv.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2680
vcpkgsrv.exe
Misc activity
MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login
2680
vcpkgsrv.exe
Misc activity
MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response
2680
vcpkgsrv.exe
Misc activity
MINER [PTsecurity] Risktool.W32.coinminer!c
2680
vcpkgsrv.exe
Misc activity
MINER [PTsecurity] CoinMiner CryptoNight algo JSON_RPC server Response
1052
svchost.exe
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
1052
svchost.exe
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
1052
svchost.exe
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
32 ETPRO signatures available at the full report
No debug info