File name:

networkminer-pro-download-temp.exe

Full analysis: https://app.any.run/tasks/780aefba-0258-484e-8586-138ef62a73a4
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 23, 2018, 01:48:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

5E67C28864E40E168AACC9CB510D019A

SHA1:

E8425AF7A170E50B65A5FBEDA5A6F77513E1363F

SHA256:

50482CA95FFC8AB053D23985CA4509ED9081E0F242CAB783633F13F7E2620268

SSDEEP:

98304:tAE8cTejOud/Q+ijfvPBUFCe+N2Q2T6JQp2Tk1xXIW/CjGVucwh:txTc/QoAe+N+eJq2TkbXd/CaVeh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • A4D242CC-7415-43B7-8696-898360D2C3A7.exe (PID: 2856)
      • AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.exe (PID: 3736)
      • 88325868-8841-4016-81C8-4E087D5AD009.exe (PID: 3548)
      • CCE9E0DC-415B-4335-98F4-1B99ED61A644.exe (PID: 3576)
      • OneSystemCare.exe (PID: 2772)
      • C11F7497-71A1-402B-98F3-0F401F21C6BE.exe (PID: 3068)
      • smappscontroller.exe (PID: 2912)
      • C11F7497-71A1-402B-98F3-0F401F21C6BE.exe (PID: 3056)
      • OneSystemCare.exe (PID: 2932)
      • mweshield.exe (PID: 3568)
      • mweshieldup.exe (PID: 2852)
      • mweshield.exe (PID: 2320)
      • setup.exe (PID: 2712)
      • mweshieldup.exe (PID: 2424)
      • certutil.exe (PID: 3348)
      • noteupd.exe (PID: 1472)
      • notepad3k.exe (PID: 2608)
      • chromedriver.exe (PID: 2116)
      • chrome.exe (PID: 3280)
      • chrome.exe (PID: 1304)
      • chrome.exe (PID: 308)
      • chrome.exe (PID: 2328)
      • chrome.exe (PID: 3840)
      • chrome.exe (PID: 2800)
      • mrkeeper.exe (PID: 3208)
      • ZllCNLzSCm.exe (PID: 3968)
      • ZllCNLzSCm.exe (PID: 3420)
      • mrkeeper.exe (PID: 3532)
      • mrkeeper.exe (PID: 3124)
      • OneSystemCare.exe (PID: 3540)
      • OneSystemCare.exe (PID: 2948)
      • OneSystemCare.exe (PID: 3212)
      • mweshield.exe (PID: 1460)
      • mweshieldup.exe (PID: 1968)
      • smappscontroller.exe (PID: 1392)
      • noteupd.exe (PID: 3636)
      • smappscontroller.exe (PID: 3668)
      • notepad3k.exe (PID: 3964)
      • chromedriver.exe (PID: 3816)
      • CleanupConsole.exe (PID: 252)
      • certutil.exe (PID: 904)
      • chrome.exe (PID: 3532)
      • chrome.exe (PID: 3240)
      • chrome.exe (PID: 2112)
      • chrome.exe (PID: 3420)
      • chrome.exe (PID: 4052)
      • chrome.exe (PID: 2260)
      • MailRuUpdater.exe (PID: 2260)
      • MailRuUpdater.exe (PID: 1508)
      • MailRuUpdater.exe (PID: 3388)
      • MailRuUpdater.exe (PID: 1684)
      • MailRuUpdater.exe (PID: 3132)
      • 9938-bc11-a587-fd7b (PID: 2720)
      • mrupdsrv.exe (PID: 2484)
      • mrupdsrv.exe (PID: 1040)
      • na_runner.exe (PID: 292)

    • Application loaded dropped or rewritten executable

      • 88325868-8841-4016-81C8-4E087D5AD009.exe (PID: 3548)
      • mweshield.exe (PID: 3568)
      • setup.exe (PID: 2712)
      • mweshield.exe (PID: 2320)
      • regsvr32.exe (PID: 4032)
      • certutil.exe (PID: 3348)
      • noteupd.exe (PID: 1472)
      • iexplore.exe (PID: 3108)
      • chrome.exe (PID: 3280)
      • chrome.exe (PID: 1304)
      • notepad3k.exe (PID: 2608)
      • chrome.exe (PID: 308)
      • chrome.exe (PID: 2328)
      • svchost.exe (PID: 764)
      • iexplore.exe (PID: 3128)
      • chrome.exe (PID: 3840)
      • chrome.exe (PID: 2800)
      • ZllCNLzSCm.exe (PID: 3968)
      • ZllCNLzSCm.exe (PID: 3420)
      • iexplore.exe (PID: 3956)
      • iexplore.exe (PID: 2196)
      • rundll32.exe (PID: 872)
      • rundll32.exe (PID: 1556)
      • rundll32.exe (PID: 1628)
      • certutil.exe (PID: 904)
      • noteupd.exe (PID: 3636)
      • mweshield.exe (PID: 1460)
      • notepad3k.exe (PID: 3964)
      • chrome.exe (PID: 3532)
      • chrome.exe (PID: 2112)
      • chrome.exe (PID: 3240)
      • chrome.exe (PID: 3420)
      • chrome.exe (PID: 2260)
      • chrome.exe (PID: 4052)

    • Uses Task Scheduler to run other applications

      • AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.tmp (PID: 3760)
      • C11F7497-71A1-402B-98F3-0F401F21C6BE.exe (PID: 3068)
      • OneSystemCare.tmp (PID: 2588)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3252)
      • schtasks.exe (PID: 3072)
      • schtasks.exe (PID: 2560)
      • schtasks.exe (PID: 3024)
      • schtasks.exe (PID: 3584)
      • schtasks.exe (PID: 3436)
      • schtasks.exe (PID: 4020)
      • schtasks.exe (PID: 2708)
      • schtasks.exe (PID: 2680)
      • schtasks.exe (PID: 3976)
      • schtasks.exe (PID: 3512)
      • schtasks.exe (PID: 3580)
      • svchost.exe (PID: 764)
      • na_runner.exe (PID: 292)
      • taskhost.exe (PID: 2244)
      • schtasks.exe (PID: 3452)
      • schtasks.exe (PID: 3316)
      • schtasks.exe (PID: 3112)
      • schtasks.exe (PID: 2020)
      • schtasks.exe (PID: 3284)
      • schtasks.exe (PID: 3180)
      • taskhost.exe (PID: 2984)
      • schtasks.exe (PID: 2408)
      • schtasks.exe (PID: 3588)
      • schtasks.exe (PID: 4028)
      • taskhost.exe (PID: 3092)
      • schtasks.exe (PID: 860)
      • schtasks.exe (PID: 632)
      • schtasks.exe (PID: 1720)
      • schtasks.exe (PID: 1228)
      • schtasks.exe (PID: 3724)
      • schtasks.exe (PID: 2552)
      • schtasks.exe (PID: 2760)

    • Loads the Task Scheduler DLL interface

      • schtasks.exe (PID: 3836)
      • schtasks.exe (PID: 3264)
      • OneSystemCare.exe (PID: 3212)

    • Changes the autorun value in the registry

      • CCE9E0DC-415B-4335-98F4-1B99ED61A644.exe (PID: 3576)
      • na_runner.exe (PID: 292)
      • setup.exe (PID: 2712)

    • Changes Windows auto-update feature

      • svchost.exe (PID: 764)
      • CCE9E0DC-415B-4335-98F4-1B99ED61A644.exe (PID: 3576)
      • MailRuUpdater.exe (PID: 2260)

    • Changes settings of System certificates

      • mweshield.exe (PID: 2320)
      • MailRuUpdater.exe (PID: 1508)
      • C11F7497-71A1-402B-98F3-0F401F21C6BE.exe (PID: 3068)
      • chrome.exe (PID: 3280)
      • mrupdsrv.exe (PID: 1040)

    • Modifies files in Chrome extension folder

      • CCE9E0DC-415B-4335-98F4-1B99ED61A644.exe (PID: 3576)
      • C11F7497-71A1-402B-98F3-0F401F21C6BE.exe (PID: 3068)

    • Changes internet zones settings

      • C11F7497-71A1-402B-98F3-0F401F21C6BE.exe (PID: 3068)

  • SUSPICIOUS

    • Creates files in the user directory

      • networkminer-pro-download-temp.exe (PID: 3416)
      • AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.tmp (PID: 3760)
      • 88325868-8841-4016-81C8-4E087D5AD009.exe (PID: 3548)
      • CCE9E0DC-415B-4335-98F4-1B99ED61A644.exe (PID: 3576)
      • OneSystemCare.tmp (PID: 2344)
      • MailRuUpdater.exe (PID: 2260)
      • setup.exe (PID: 2712)
      • OneSystemCare.tmp (PID: 2588)
      • C11F7497-71A1-402B-98F3-0F401F21C6BE.exe (PID: 3068)
      • chromedriver.exe (PID: 2116)
      • chrome.exe (PID: 1304)
      • chrome.exe (PID: 3280)
      • FlashUtil32_26_0_0_137_ActiveX.exe (PID: 2988)
      • MailRuUpdater.exe (PID: 3132)
      • chrome.exe (PID: 2112)
      • chrome.exe (PID: 3532)
      • CleanupConsole.exe (PID: 252)

    • Starts Internet Explorer

      • networkminer-pro-download-temp.exe (PID: 3416)
      • C11F7497-71A1-402B-98F3-0F401F21C6BE.exe (PID: 3068)
      • CleanupConsole.exe (PID: 252)

    • Creates files in the program directory

      • A4D242CC-7415-43B7-8696-898360D2C3A7.exe (PID: 2856)
      • CCE9E0DC-415B-4335-98F4-1B99ED61A644.exe (PID: 3576)
      • svchost.exe (PID: 764)
      • na_runner.exe (PID: 292)
      • mweshield.exe (PID: 2320)
      • 9938-bc11-a587-fd7b (PID: 2720)
      • C11F7497-71A1-402B-98F3-0F401F21C6BE.exe (PID: 3068)
      • OneSystemCare.exe (PID: 3212)

    • Reads the Windows organization settings

      • AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.tmp (PID: 3760)
      • OneSystemCare.tmp (PID: 2344)
      • OneSystemCare.tmp (PID: 2588)

    • Reads Windows owner settings

      • AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.tmp (PID: 3760)
      • OneSystemCare.tmp (PID: 2344)
      • OneSystemCare.tmp (PID: 2588)

    • Uses TASKKILL.EXE to kill process

      • AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.tmp (PID: 3760)

    • Searches for installed software

      • networkminer-pro-download-temp.exe (PID: 3416)
      • smappscontroller.exe (PID: 2912)
      • OneSystemCare.tmp (PID: 2588)
      • smappscontroller.exe (PID: 3668)

    • Creates files in the Windows directory

      • schtasks.exe (PID: 3836)
      • svchost.exe (PID: 764)
      • A4D242CC-7415-43B7-8696-898360D2C3A7.exe (PID: 2856)
      • MailRuUpdater.exe (PID: 1508)
      • mweshieldup.exe (PID: 2424)
      • mrupdsrv.exe (PID: 2484)
      • schtasks.exe (PID: 3264)
      • OneSystemCare.exe (PID: 3212)
      • mweshieldup.exe (PID: 1968)

    • Creates a software uninstall entry

      • na_runner.exe (PID: 292)
      • A4D242CC-7415-43B7-8696-898360D2C3A7.exe (PID: 2856)
      • setup.exe (PID: 2712)
      • C11F7497-71A1-402B-98F3-0F401F21C6BE.exe (PID: 3068)

    • Creates files in the driver directory

      • A4D242CC-7415-43B7-8696-898360D2C3A7.exe (PID: 2856)

    • Starts itself from another location

      • na_runner.exe (PID: 292)

    • Creates or modifies windows services

      • svchost.exe (PID: 764)
      • A4D242CC-7415-43B7-8696-898360D2C3A7.exe (PID: 2856)
      • mweshield.exe (PID: 2320)
      • noteupd.exe (PID: 1472)
      • notepad3k.exe (PID: 2608)
      • mweshield.exe (PID: 1460)

    • Removes files from Windows directory

      • svchost.exe (PID: 764)
      • MailRuUpdater.exe (PID: 1508)

    • Starts application with an unusual extension

      • MailRuUpdater.exe (PID: 1508)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 4032)
      • C11F7497-71A1-402B-98F3-0F401F21C6BE.exe (PID: 3068)

    • Changes IE settings (feature browser emulation)

      • C11F7497-71A1-402B-98F3-0F401F21C6BE.exe (PID: 3068)

    • Application launched itself

      • chrome.exe (PID: 3280)

    • Reads internet explorer settings

      • ZllCNLzSCm.exe (PID: 3968)
      • ZllCNLzSCm.exe (PID: 3420)

    • Adds / modifies Windows certificates

      • mrupdsrv.exe (PID: 1040)

  • INFO

    • Dropped object may contain URL's

      • networkminer-pro-download-temp.exe (PID: 3416)
      • iexplore.exe (PID: 2216)
      • AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.tmp (PID: 3760)
      • iexplore.exe (PID: 3876)
      • A4D242CC-7415-43B7-8696-898360D2C3A7.exe (PID: 2856)
      • svchost.exe (PID: 764)
      • CCE9E0DC-415B-4335-98F4-1B99ED61A644.exe (PID: 3576)
      • mweshield.exe (PID: 2320)
      • regsvr32.exe (PID: 4032)
      • OneSystemCare.tmp (PID: 2588)
      • C11F7497-71A1-402B-98F3-0F401F21C6BE.exe (PID: 3068)
      • iexplore.exe (PID: 3108)
      • iexplore.exe (PID: 2196)
      • iexplore.exe (PID: 3956)
      • iexplore.exe (PID: 3128)
      • chrome.exe (PID: 3532)
      • setup.exe (PID: 2712)

    • Loads rich edit control libraries

      • A4D242CC-7415-43B7-8696-898360D2C3A7.exe (PID: 2856)
      • FlashUtil32_26_0_0_137_ActiveX.exe (PID: 2988)

    • Changes internet zones settings

      • iexplore.exe (PID: 3876)
      • iexplore.exe (PID: 3108)
      • iexplore.exe (PID: 3956)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2216)
      • iexplore.exe (PID: 2196)
      • iexplore.exe (PID: 3128)

    • Creates files in the user directory

      • iexplore.exe (PID: 2216)
      • iexplore.exe (PID: 3128)
      • iexplore.exe (PID: 2196)

    • Creates files in the program directory

      • AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.tmp (PID: 3760)
      • OneSystemCare.tmp (PID: 2588)

    • Application loaded dropped or rewritten executable

      • AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.tmp (PID: 3760)
      • OneSystemCare.tmp (PID: 2344)
      • OneSystemCare.tmp (PID: 2588)

    • Application was dropped or rewritten from another process

      • AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.tmp (PID: 3760)
      • OneSystemCare.tmp (PID: 2344)
      • OneSystemCare.tmp (PID: 2588)

    • Creates a software uninstall entry

      • AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.tmp (PID: 3760)
      • OneSystemCare.tmp (PID: 2588)

    • Reads settings of System Certificates

      • MailRuUpdater.exe (PID: 1508)
      • MailRuUpdater.exe (PID: 3132)

    • Dropped object may contain Bitcoin addresses

      • CCE9E0DC-415B-4335-98F4-1B99ED61A644.exe (PID: 3576)
      • OneSystemCare.tmp (PID: 2588)
      • setup.exe (PID: 2712)

    • Loads the .NET runtime environment

      • noteupd.exe (PID: 1472)
      • notepad3k.exe (PID: 2608)
      • noteupd.exe (PID: 3636)
      • notepad3k.exe (PID: 3964)

    • Application launched itself

      • iexplore.exe (PID: 3108)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2196)
      • iexplore.exe (PID: 3956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (35.9)
.exe | Win32 Executable MS Visual C++ (generic) (27)
.exe | Win64 Executable (generic) (23.9)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:06:12 04:46:19+02:00
PEType: PE32
LinkerVersion: 12
CodeSize: 2681344
InitializedDataSize: 3277312
UninitializedDataSize: -
EntryPoint: 0x1587a3
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 12-Jun-2015 02:46:19
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 12-Jun-2015 02:46:19
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0028E9EA
0x0028EA00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.64204
.data
0x00290000
0x00ADF55C
0x0014DA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.00203
.idata
0x00D70000
0x00000ABA
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.11067
.xdata
0x00D71000
0x000002B4
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.98929
.27N8OL
0x00D72000
0x00049418
0x00049600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.02287
.TABMS
0x00DBC000
0x00187B20
0x00187C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.03047
.rsrc
0x00F44000
0x00000520
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.397

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.07794
1223
Latin 1 / Western European
English - United States
RT_MANIFEST

Imports

ADVAPI32.dll
KERNEL32.dll
USER32.dll
WINTRUST.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
237
Monitored processes
109
Malicious processes
43
Suspicious processes
13

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start networkminer-pro-download-temp.exe iexplore.exe no specs iexplore.exe no specs a4d242cc-7415-43b7-8696-898360d2c3a7.exe 88325868-8841-4016-81c8-4e087d5ad009.exe af0b4dce-8fe4-401a-99ab-31ad099d8a0f.exe af0b4dce-8fe4-401a-99ab-31ad099d8a0f.tmp taskkill.exe no specs cce9e0dc-415b-4335-98f4-1b99ed61a644.exe onesystemcare.exe c11f7497-71a1-402b-98f3-0f401f21c6be.exe onesystemcare.tmp schtasks.exe no specs smappscontroller.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs c11f7497-71a1-402b-98f3-0f401f21c6be.exe no specs gpupdate.exe no specs na_runner.exe setup.exe onesystemcare.exe mailruupdater.exe no specs onesystemcare.tmp mweshield.exe no specs mailruupdater.exe mweshieldup.exe no specs taskhost.exe no specs mweshield.exe no specs schtasks.exe no specs mweshieldup.exe no specs schtasks.exe no specs regsvr32.exe certutil.exe no specs schtasks.exe no specs schtasks.exe no specs 9938-bc11-a587-fd7b schtasks.exe no specs mrupdsrv.exe no specs schtasks.exe no specs taskhost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs taskhost.exe no specs schtasks.exe no specs noteupd.exe no specs notepad3k.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs chromedriver.exe no specs iexplore.exe no specs chrome.exe iexplore.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs svchost.exe no specs zllcnlzscm.exe no specs mrkeeper.exe no specs iexplore.exe no specs iexplore.exe no specs zllcnlzscm.exe no specs flashutil32_26_0_0_137_activex.exe no specs mrkeeper.exe no specs mrkeeper.exe no specs onesystemcare.exe no specs onesystemcare.exe onesystemcare.exe no specs onesystemcare.exe no specs mrupdsrv.exe no specs mweshield.exe no specs rundll32.exe no specs rundll32.exe no specs smappscontroller.exe no specs mweshieldup.exe no specs rundll32.exe no specs cleanupconsole.exe no specs mailruupdater.exe no specs certutil.exe no specs mailruupdater.exe no specs mailruupdater.exe no specs noteupd.exe no specs smappscontroller.exe no specs notepad3k.exe no specs chromedriver.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs networkminer-pro-download-temp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
252"C:\Program Files\OneSystemCare\CleanupConsole.exe" -NotifyC:\Program Files\OneSystemCare\CleanupConsole.exetaskeng.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\onesystemcare\cleanupconsole.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
292"C:\Users\admin\AppData\Local\Temp\0ef4-d166-d2d0-900e\na_runner.exe" --installC:\Users\admin\AppData\Local\Temp\0ef4-d166-d2d0-900e\na_runner.exe
CCE9E0DC-415B-4335-98F4-1B99ED61A644.exe
User:
admin
Company:
Mail.Ru
Integrity Level:
HIGH
Description:
Mail.Ru updater
Exit code:
0
Version:
3.14.0.50
Modules
Images
c:\users\admin\appdata\local\temp\0ef4-d166-d2d0-900e\na_runner.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
308"C:\Users\admin\AppData\Roaming\notepad3k\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2124 --on-initialized-event-handle=300 --parent-handle=304 --enable-logging /prefetch:6C:\Users\admin\AppData\Roaming\notepad3k\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
64.0.3282.186
Modules
Images
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\users\admin\appdata\roaming\notepad3k\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\users\admin\appdata\roaming\notepad3k\chrome\application\64.0.3282.186\chrome_elf.dll
632schtasks /DELETE /TN "SblZmBRLKrukRom" /FC:\Windows\system32\schtasks.exeC11F7497-71A1-402B-98F3-0F401F21C6BE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
764C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
860"C:\Windows\System32\schtasks.exe" /Create /TR "'C:\Program Files\OneSystemCare\OneSystemCare.exe' --scan" /sc ONCE /st 02:54 /sd 04/23/2018 /TN "One System Care Delayed" /F /RL HIGHESTC:\Windows\System32\schtasks.exeOneSystemCare.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
872C:\Windows\system32\rundll32.EXE "C:\Program Files\yGQUkuNFJydZrWLqulR\hXrvEjW.dll",#1C:\Windows\System32\rundll32.exetaskeng.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
904nss\certutil -A -t "TCu" -i "C:\Program Files\My Web Shield\cert\SSL\My Web Shield 2.cer" -n "My Web Shield 2" -d "C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\hggh073w.default"C:\Program Files\My Web Shield\nss\certutil.exemweshield.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\program files\my web shield\nss\certutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\my web shield\nss\smime3.dll
c:\program files\my web shield\nss\nss3.dll
c:\program files\my web shield\nss\softokn3.dll
c:\program files\my web shield\nss\plc4.dll
c:\program files\my web shield\nss\nspr4.dll
c:\windows\system32\advapi32.dll
1040"C:\Program Files\Mail.Ru\Update Service\mrupdsrv.exe" --sC:\Program Files\Mail.Ru\Update Service\mrupdsrv.exeservices.exe
User:
SYSTEM
Company:
Mail.Ru
Integrity Level:
SYSTEM
Description:
Mail.Ru Update Service
Exit code:
0
Version:
3.12.0.10
Modules
Images
c:\program files\mail.ru\update service\mrupdsrv.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1228schtasks /create /tn "SblZmBRLKrukRom2" /xml "C:\Program Files\RlCzQmKuU\settings.xml" /RU "SYSTEM"C:\Windows\system32\schtasks.exeC11F7497-71A1-402B-98F3-0F401F21C6BE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
10 146
Read events
7 606
Write events
2 249
Delete events
291

Modification events

(PID) Process:(3416) networkminer-pro-download-temp.exeKey:HKEY_CURRENT_USER\Software\Downloader
Operation:writeName:quarantine
Value:
(PID) Process:(3416) networkminer-pro-download-temp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\networkminer-pro-download-temp_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3416) networkminer-pro-download-temp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\networkminer-pro-download-temp_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3416) networkminer-pro-download-temp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\networkminer-pro-download-temp_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3416) networkminer-pro-download-temp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\networkminer-pro-download-temp_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3416) networkminer-pro-download-temp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\networkminer-pro-download-temp_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3416) networkminer-pro-download-temp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\networkminer-pro-download-temp_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3416) networkminer-pro-download-temp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\networkminer-pro-download-temp_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3416) networkminer-pro-download-temp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\networkminer-pro-download-temp_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3416) networkminer-pro-download-temp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\networkminer-pro-download-temp_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
Executable files
101
Suspicious files
69
Text files
958
Unknown types
136

Dropped files

PID
Process
Filename
Type
3416networkminer-pro-download-temp.exeC:\Users\admin\AppData\Local\Temp\Downloader\tempicon.ico
MD5:
SHA256:
3416networkminer-pro-download-temp.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@tribute0nail-qualified[1].txt
MD5:
SHA256:
3876iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HB72KPVE\favicon[1].ico
MD5:
SHA256:
3876iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3736AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.exeC:\Users\admin\AppData\Local\Temp\is-FMHQ7.tmp\AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.tmpexecutable
MD5:
SHA256:
2856A4D242CC-7415-43B7-8696-898360D2C3A7.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JZR4RKAB\300[1]text
MD5:
SHA256:
3416networkminer-pro-download-temp.exeC:\Users\admin\AppData\Local\Temp\A4D242CC-7415-43B7-8696-898360D2C3A7\A4D242CC-7415-43B7-8696-898360D2C3A7.exeexecutable
MD5:
SHA256:
3416networkminer-pro-download-temp.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@tribute0nail-qualified[2].txttext
MD5:
SHA256:
3416networkminer-pro-download-temp.exeC:\Users\admin\AppData\Local\Temp\AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F\AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.exeexecutable
MD5:
SHA256:
3760AF0B4DCE-8FE4-401A-99AB-31AD099D8A0F.tmpC:\Users\admin\AppData\Roaming\Smart Application Controller\settings.initext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
451
TCP/UDP connections
299
DNS requests
129
Threats
42

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
5.149.248.111:80
http://totrakto.com/Networkminer-Pro-Download--temp.zip
NL
suspicious
POST
104.27.138.132:80
http://tribute0nail-qualified.ml/api_v2/json/send/analyticsreport
US
malicious
POST
104.27.138.132:80
http://tribute0nail-qualified.ml/api_v2/json/get/initialization
US
malicious
GET
200
132.148.91.227:80
http://132.148.91.227/hhueiqpii.exe
US
executable
3.24 Mb
suspicious
GET
200
94.100.180.110:80
http://sputnikmailru.cdnmail.ru/mailruhomesearch.exe?rfr=811550
RU
executable
2.20 Mb
suspicious
GET
200
104.27.139.132:80
http://tribute0nail-qualified.ml/upload/4b3fedd488b3a4b8fe830cd8f107158b.exe
US
executable
2.84 Mb
malicious
POST
104.27.138.132:80
http://tribute0nail-qualified.ml/api_v2/json/get/campaigns
US
malicious
GET
200
104.27.139.132:80
http://tribute0nail-qualified.ml/upload/9b33448929168974fa305a0ec4a35bc9.exe
US
executable
623 Kb
malicious
GET
200
173.214.252.173:80
http://gossipserps.com/install6.exe
US
executable
169 Kb
malicious
GET
200
104.27.138.132:80
http://tribute0nail-qualified.ml/icons/1.ico
US
image
31.2 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
104.27.138.132:80
tribute0nail-qualified.ml
Cloudflare Inc
US
shared
104.27.139.132:80
tribute0nail-qualified.ml
Cloudflare Inc
US
shared
132.148.91.227:80
GoDaddy.com, LLC
US
suspicious
5.149.248.111:80
totrakto.com
HZ Hosting Ltd
NL
unknown
104.24.119.133:80
vd.onesystemhost.net
Cloudflare Inc
US
shared
94.100.180.110:80
sputnikmailru.cdnmail.ru
Limited liability company Mail.Ru
RU
suspicious
173.214.252.173:80
gossipserps.com
Serverel Inc.
US
malicious
200.7.97.34:80
mywebshield-ww1.com
HZ Hosting Ltd
NL
malicious
5.149.249.101:80
getmywebshield.org
HZ Hosting Ltd
NL
unknown
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
teredo.ipv6.microsoft.com
whitelisted
tribute0nail-qualified.ml
  • 104.27.138.132
  • 104.27.139.132
malicious
vd.onesystemhost.net
  • 104.24.119.133
  • 104.24.118.133
unknown
gossipserps.com
  • 173.214.252.173
malicious
totrakto.com
  • 5.149.248.111
suspicious
sputnikmailru.cdnmail.ru
  • 94.100.180.110
unknown
mywebshield-ww1.com
  • 200.7.97.34
malicious
getmywebshield.org
  • 5.149.249.101
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
savegglss.com
  • 173.214.252.173
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.ml Domain
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.ml Domain
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.ml Domain
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.ml Domain
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
OneSystemCare.tmp
MailRuUpdater.exe
RunAsService: Entry
OneSystemCare.tmp
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming\notepad3k\Chrome\NewProfile directory exists )
chrome.exe
[0423/024958.010:ERROR:gpu_process_transport_factory.cc(1009)] Lost UI shared context.
chrome.exe
[0423/024958.010:ERROR:instance.cc(49)] Unable to locate service manifest for metrics
chrome.exe
[0423/024958.010:ERROR:service_manager.cc(890)] Failed to resolve service name: metrics
chrome.exe
[0423/024958.704:ERROR:instance.cc(49)] Unable to locate service manifest for metrics
chrome.exe
[0423/024958.704:ERROR:service_manager.cc(890)] Failed to resolve service name: metrics
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming\notepad3k\Chrome\NewProfile directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
networkminer-pro-download-temp.exe