File name:

Video.scr

Full analysis: https://app.any.run/tasks/71657e6c-0f36-4949-9f30-74e5b67e2fba
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: November 28, 2024, 16:07:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
bittorrent
mozi
botnet
ftp
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

A9D4007C9419A6E8D55805B8F8F52DE0

SHA1:

9F9D47EC6DD80BFCB4C3E0A1530B89D2D587C230

SHA256:

5D9FE2735D4399D98E6E6A792B1FEB26D6F2D9A5D77944ECACB4B4837E5E5FCA

SSDEEP:

98304:dqMqPhw41tP2IHHAHuw4lUSlulY+fWEoOB/xsmCDGID95NM+x48rzPH9ATnVlYLh:NeuGME+pooSYeb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MOZI has been detected (SURICATA)

      • HelpPane.exe (PID: 4640)

    • BITTORRENT has been detected (SURICATA)

      • HelpPane.exe (PID: 4640)

  • SUSPICIOUS

    • Process drops python dynamic module

      • Video.scr.exe (PID: 6276)
      • Video.scr.exe (PID: 6656)
      • HelpPane.exe (PID: 6996)
      • HelpPane.exe (PID: 6168)
      • HelpPane.exe (PID: 1356)

    • Process drops legitimate windows executable

      • Video.scr.exe (PID: 6276)
      • Video.scr.exe (PID: 6656)
      • HelpPane.exe (PID: 6996)
      • HelpPane.exe (PID: 6168)
      • HelpPane.exe (PID: 1356)

    • Executable content was dropped or overwritten

      • Video.scr.exe (PID: 6276)
      • Video.scr.exe (PID: 6656)
      • cmd.exe (PID: 6756)
      • HelpPane.exe (PID: 6996)
      • HelpPane.exe (PID: 6168)
      • HelpPane.exe (PID: 1356)
      • cmd.exe (PID: 5548)

    • Application launched itself

      • Video.scr.exe (PID: 6276)
      • Video.scr.exe (PID: 6296)
      • Video.scr.exe (PID: 6656)
      • HelpPane.exe (PID: 6168)
      • HelpPane.exe (PID: 6996)
      • HelpPane.exe (PID: 1356)

    • The process drops C-runtime libraries

      • Video.scr.exe (PID: 6276)
      • Video.scr.exe (PID: 6656)
      • HelpPane.exe (PID: 6168)
      • HelpPane.exe (PID: 1356)
      • HelpPane.exe (PID: 6996)

    • Starts CMD.EXE for commands execution

      • Video.scr.exe (PID: 6684)
      • HelpPane.exe (PID: 4640)

    • The executable file from the user directory is run by the CMD process

      • HelpPane.exe (PID: 6996)
      • HelpPane.exe (PID: 6168)

    • Executes as Windows Service

      • HelpPane.exe (PID: 1356)
      • spoolsv.exe (PID: 6756)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • HelpPane.exe (PID: 4640)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 4592)

    • Potential Corporate Privacy Violation

      • HelpPane.exe (PID: 4640)

    • Contacting a server suspected of hosting an CnC

      • HelpPane.exe (PID: 4640)

    • Connects to unusual port

      • HelpPane.exe (PID: 4640)

    • Connects to FTP

      • HelpPane.exe (PID: 4640)

  • INFO

    • Checks supported languages

      • Video.scr.exe (PID: 6276)
      • Video.scr.exe (PID: 6296)

    • Create files in a temporary directory

      • Video.scr.exe (PID: 6276)

    • Reads the computer name

      • Video.scr.exe (PID: 6296)

    • Reads the machine GUID from the registry

      • Video.scr.exe (PID: 6296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:09:04 14:43:33+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 125952
InitializedDataSize: 122368
UninitializedDataSize: -
EntryPoint: 0x79d3
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
28
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
start video.scr.exe video.scr.exe no specs video.scr.exe video.scr.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs helppane.exe helppane.exe no specs cmd.exe no specs conhost.exe no specs helppane.exe helppane.exe no specs helppane.exe #BITTORRENT helppane.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs xmrig.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs spoolsv.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
624C:\WINDOWS\system32\cmd.exe /c copy /y C:\WINDOWS\TEMP\_MEI13~1\config.json C:\WINDOWS\TEMP\config.jsonC:\Windows\SysWOW64\cmd.exeHelpPane.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1356"C:\Users\admin\HelpPane.exe"C:\Users\admin\HelpPane.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\users\admin\helppane.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
3092C:\Users\admin\HelpPane.exe startC:\Users\admin\HelpPane.exeHelpPane.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\helppane.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4592C:\WINDOWS\system32\cmd.exe /c taskkill /pid 2652 /fC:\Windows\SysWOW64\cmd.exeHelpPane.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4640"C:\Users\admin\HelpPane.exe"C:\Users\admin\HelpPane.exe
HelpPane.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\users\admin\helppane.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4944taskkill /pid 2652 /fC:\Windows\SysWOW64\taskkill.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Terminates Processes
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
5252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5548C:\WINDOWS\system32\cmd.exe /c copy /y C:\WINDOWS\TEMP\_MEI13~1\xmrig.exe C:\WINDOWS\TEMP\xmrig.exeC:\Windows\SysWOW64\cmd.exe
HelpPane.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
2 438
Read events
2 438
Write events
0
Delete events
0

Modification events

No data
Executable files
127
Suspicious files
7
Text files
26
Unknown types
0

Dropped files

PID
Process
Filename
Type
6276Video.scr.exeC:\Users\admin\AppData\Local\Temp\_MEI62762\bz2.pydexecutable
MD5:C9C00BC854A39E66B27787D188F9E8D7
SHA256:29520DF660A5BBD704B9106A6650A66E4F5766B904D05F97146668D41DBF5839
6276Video.scr.exeC:\Users\admin\AppData\Local\Temp\_MEI62762\_socket.pydexecutable
MD5:BE47363992C7DD90019276D35FA8DA76
SHA256:BE10254B111713BEF20A13D561DE61CA3C74A34C64DDC5B10825C64AB2C46734
6276Video.scr.exeC:\Users\admin\AppData\Local\Temp\_MEI62762\ftpcrack.exe.manifestxml
MD5:B5DEA49B86C5BB5D9CD8D64A09F70065
SHA256:78B1160F6ADAB34D144AD19A0F4B83F83453F1E18460BBDFBE17AD354B62AF7D
6276Video.scr.exeC:\Users\admin\AppData\Local\Temp\_MEI62762\netifaces.pydexecutable
MD5:C7807680A69196C3EE66C4CFB3E271AC
SHA256:1A6C57AC8031582477B1D3463A65B6EB006EEA704E27C8C4B812B99EA910428D
6276Video.scr.exeC:\Users\admin\AppData\Local\Temp\_MEI62762\msvcr90.dllexecutable
MD5:199D34B03C7D0EB804A6D9869184B8D4
SHA256:DF86421E354F817607F2BAFC9188569242FCF9DD564B28F3E2915C86A0BA1F54
6276Video.scr.exeC:\Users\admin\AppData\Local\Temp\_MEI62762\pyexpat.pydexecutable
MD5:AD560121EFD8E249FC3414200D98F75F
SHA256:0BEB3B16F9A11F93137365A1179D2062A414ADABA337BCAC05A083A921775B50
6276Video.scr.exeC:\Users\admin\AppData\Local\Temp\_MEI62762\msvcm90.dllexecutable
MD5:D34A527493F39AF4491B3E909DC697CA
SHA256:7A74DA389FBD10A710C294C2E914DC6F18E05F028F07958A2FA53AC44F0E4B90
6276Video.scr.exeC:\Users\admin\AppData\Local\Temp\_MEI62762\_ssl.pydexecutable
MD5:68C3AD86E0A8833C29AD1BE10D3C025D
SHA256:C236271B92A0F1D3304337F2E2444107F34D8E26272981F48C47DB347133566C
6276Video.scr.exeC:\Users\admin\AppData\Local\Temp\_MEI62762\psutil._psutil_windows.pydexecutable
MD5:2FC800FCC46A597921C2ED447AEB09AC
SHA256:2E4AD3D08118DA77C928C4614BFECB34397CFAF53F5D46D7C7E5F1DA3172C1F1
6276Video.scr.exeC:\Users\admin\AppData\Local\Temp\_MEI62762\perfmon.pydexecutable
MD5:EE813500A441B5FFDACD853E95BEE669
SHA256:AC491704AF920BE0E503F0243D2D371E230622E213E9F082347B52C0A7B009C2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
280
DNS requests
29
Threats
22

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6356
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4704
SIHClient.exe
GET
200
104.85.1.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4704
SIHClient.exe
GET
200
104.85.1.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5064
SearchApp.exe
2.23.209.150:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4500
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.114
  • 2.16.164.18
  • 2.16.164.106
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 104.85.1.163
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.bing.com
  • 2.23.209.150
  • 2.23.209.133
  • 2.23.209.141
  • 2.23.209.158
  • 2.23.209.135
  • 2.23.209.187
  • 2.23.209.161
  • 2.23.209.130
  • 2.23.209.181
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.133
  • 20.190.160.14
  • 40.126.32.68
  • 40.126.32.74
  • 20.190.160.22
  • 40.126.32.138
  • 20.190.160.17
whitelisted
go.microsoft.com
  • 23.32.186.57
whitelisted
dht.transmissionbt.com
  • 212.129.33.59
  • 87.98.162.88
unknown
router.bittorrent.com
  • 67.215.246.10
whitelisted
router.utorrent.com
  • 82.221.103.244
whitelisted

Threats

PID
Process
Class
Message
4640
HelpPane.exe
Misc activity
INFO [ANY.RUN] P2P BitTorrent Protocol
4640
HelpPane.exe
Malware Command and Control Activity Detected
ET MALWARE Mozi Botnet DHT Config Sent
4640
HelpPane.exe
Malware Command and Control Activity Detected
ET MALWARE Mozi Botnet DHT Config Sent
4640
HelpPane.exe
Potential Corporate Privacy Violation
ET P2P BitTorrent DHT nodes reply
4640
HelpPane.exe
Malware Command and Control Activity Detected
ET MALWARE Mozi Botnet DHT Config Sent
4640
HelpPane.exe
Malware Command and Control Activity Detected
ET MALWARE Mozi Botnet DHT Config Sent
4640
HelpPane.exe
Malware Command and Control Activity Detected
ET MALWARE Mozi Botnet DHT Config Sent
4640
HelpPane.exe
Malware Command and Control Activity Detected
ET MALWARE Mozi Botnet DHT Config Sent
4640
HelpPane.exe
Malware Command and Control Activity Detected
ET MALWARE Mozi Botnet DHT Config Sent
4640
HelpPane.exe
Malware Command and Control Activity Detected
ET MALWARE Mozi Botnet DHT Config Sent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Video.scr