| File name: | SHProto.exe |
| Full analysis: | https://app.any.run/tasks/c17fb99e-fced-44ee-8963-019b710eaa4c |
| Verdict: | Malicious activity |
| Analysis date: | October 11, 2024, 14:22:18 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 613FBB17E33CB792B8582F258286FBFF |
| SHA1: | 88BDB65376DA426DA7728C83B8B6CA355DED9E44 |
| SHA256: | 66E79F6B44DEA6D72AC771F41E3D097026E9705312CE6A7DA19BC819E48D80B1 |
| SSDEEP: | 98304:q7lSN31GoEtgGin+Z6EwbUHnoUYQa3N3am+nYBlmjC/xPixPYEEYJOqYmNdylFL0:d2r50Qf |
MALICIOUS
Changes the autorun value in the registry
- system.exe (PID: 4312)
- system.exe (PID: 1200)
- system.exe (PID: 540)
- system.exe (PID: 4224)
- system.exe (PID: 7392)
- system.exe (PID: 6200)
- system.exe (PID: 3848)
Create files in the Startup directory
- system.exe (PID: 3848)
SUSPICIOUS
Reads security settings of Internet Explorer
- SHProto.exe (PID: 6696)
- SHProto.exe (PID: 608)
- SHProto.exe (PID: 2648)
- SHProto.exe (PID: 6432)
- SHProto.exe (PID: 1252)
- SHProto.exe (PID: 5220)
- SHProto.exe (PID: 6392)
- SHProto.exe (PID: 6400)
- SHProto.exe (PID: 6344)
- SHProto.exe (PID: 5328)
- SHProto.exe (PID: 1204)
- SHProto.exe (PID: 4224)
- SHProto.exe (PID: 7188)
- SHProto.exe (PID: 7408)
The process creates files with name similar to system file names
- SHProto.exe (PID: 6696)
Executable content was dropped or overwritten
- SHProto.exe (PID: 6696)
- system.exe (PID: 3848)
- system.exe (PID: 300)
- SHProto.exe (PID: 7848)
Application launched itself
- SHProto.exe (PID: 6696)
- SHProto.exe (PID: 608)
- SHProto.exe (PID: 2648)
- SHProto.exe (PID: 1252)
- SHProto.exe (PID: 5220)
- SHProto.exe (PID: 6432)
- SHProto.exe (PID: 6400)
- SHProto.exe (PID: 6392)
- SHProto.exe (PID: 6344)
- SHProto.exe (PID: 5328)
- SHProto.exe (PID: 4224)
- SHProto.exe (PID: 7188)
- SHProto.exe (PID: 1204)
- SHProto.exe (PID: 7848)
- SHProto.exe (PID: 6704)
- SHProto.exe (PID: 7408)
- SHProto.exe (PID: 7916)
- SHProto.exe (PID: 5036)
- SHProto.exe (PID: 7920)
- SHProto.exe (PID: 7784)
- SHProto.exe (PID: 7340)
- SHProto.exe (PID: 7860)
- SHProto.exe (PID: 7972)
- SHProto.exe (PID: 7836)
- SHProto.exe (PID: 1176)
- SHProto.exe (PID: 7804)
- SHProto.exe (PID: 8000)
- SHProto.exe (PID: 7484)
- SHProto.exe (PID: 6432)
- SHProto.exe (PID: 7964)
- SHProto.exe (PID: 1784)
- SHProto.exe (PID: 696)
- SHProto.exe (PID: 7180)
- SHProto.exe (PID: 8184)
- SHProto.exe (PID: 6740)
- SHProto.exe (PID: 6124)
- SHProto.exe (PID: 5580)
- SHProto.exe (PID: 3828)
- SHProto.exe (PID: 8080)
- SHProto.exe (PID: 7280)
- SHProto.exe (PID: 7424)
- SHProto.exe (PID: 8072)
- SHProto.exe (PID: 5952)
- SHProto.exe (PID: 6668)
- SHProto.exe (PID: 7424)
- SHProto.exe (PID: 7188)
- SHProto.exe (PID: 5324)
- SHProto.exe (PID: 7632)
- SHProto.exe (PID: 2736)
- SHProto.exe (PID: 1376)
- SHProto.exe (PID: 5524)
- SHProto.exe (PID: 7152)
- SHProto.exe (PID: 6212)
- SHProto.exe (PID: 6196)
- SHProto.exe (PID: 7136)
- SHProto.exe (PID: 7932)
- SHProto.exe (PID: 8172)
- SHProto.exe (PID: 8040)
- SHProto.exe (PID: 4224)
- SHProto.exe (PID: 616)
- SHProto.exe (PID: 7952)
- SHProto.exe (PID: 7656)
- SHProto.exe (PID: 2312)
- SHProto.exe (PID: 7256)
- SHProto.exe (PID: 5792)
- SHProto.exe (PID: 8172)
- SHProto.exe (PID: 7604)
- SHProto.exe (PID: 4868)
- SHProto.exe (PID: 8148)
- SHProto.exe (PID: 7084)
- SHProto.exe (PID: 7792)
- SHProto.exe (PID: 6832)
- SHProto.exe (PID: 2484)
- SHProto.exe (PID: 3912)
- SHProto.exe (PID: 6408)
- SHProto.exe (PID: 7908)
- SHProto.exe (PID: 6260)
- SHProto.exe (PID: 7504)
- SHProto.exe (PID: 1792)
- SHProto.exe (PID: 8072)
- SHProto.exe (PID: 4568)
- SHProto.exe (PID: 6468)
- SHProto.exe (PID: 2056)
- SHProto.exe (PID: 7936)
- SHProto.exe (PID: 7788)
- SHProto.exe (PID: 6200)
- SHProto.exe (PID: 4448)
- SHProto.exe (PID: 7540)
- SHProto.exe (PID: 7880)
- SHProto.exe (PID: 7876)
- SHProto.exe (PID: 2416)
- SHProto.exe (PID: 5860)
- SHProto.exe (PID: 4072)
- SHProto.exe (PID: 8024)
- SHProto.exe (PID: 5792)
- SHProto.exe (PID: 7148)
- SHProto.exe (PID: 7892)
- SHProto.exe (PID: 8112)
- SHProto.exe (PID: 7908)
- SHProto.exe (PID: 7968)
- SHProto.exe (PID: 3728)
- SHProto.exe (PID: 6180)
- SHProto.exe (PID: 7780)
Hides command output
- cmd.exe (PID: 6584)
- cmd.exe (PID: 7096)
- cmd.exe (PID: 6848)
- cmd.exe (PID: 6328)
- cmd.exe (PID: 6136)
- cmd.exe (PID: 4436)
- cmd.exe (PID: 1568)
- cmd.exe (PID: 6300)
- cmd.exe (PID: 6432)
- cmd.exe (PID: 4408)
- cmd.exe (PID: 1700)
- cmd.exe (PID: 7212)
- cmd.exe (PID: 7480)
- cmd.exe (PID: 6824)
- cmd.exe (PID: 2312)
- cmd.exe (PID: 6692)
- cmd.exe (PID: 7888)
- cmd.exe (PID: 5900)
- cmd.exe (PID: 8172)
- cmd.exe (PID: 7340)
- cmd.exe (PID: 1784)
- cmd.exe (PID: 6124)
- cmd.exe (PID: 7540)
- cmd.exe (PID: 7908)
- cmd.exe (PID: 6540)
- cmd.exe (PID: 7136)
- cmd.exe (PID: 7352)
- cmd.exe (PID: 8092)
- cmd.exe (PID: 7468)
- cmd.exe (PID: 6236)
- cmd.exe (PID: 8084)
- cmd.exe (PID: 3008)
- cmd.exe (PID: 7244)
- cmd.exe (PID: 6884)
- cmd.exe (PID: 7936)
- cmd.exe (PID: 1068)
- cmd.exe (PID: 6044)
- cmd.exe (PID: 6816)
- cmd.exe (PID: 7040)
- cmd.exe (PID: 4304)
- cmd.exe (PID: 6368)
- cmd.exe (PID: 6124)
- cmd.exe (PID: 8132)
- cmd.exe (PID: 8036)
- cmd.exe (PID: 7508)
- cmd.exe (PID: 5084)
- cmd.exe (PID: 5912)
- cmd.exe (PID: 300)
- cmd.exe (PID: 3912)
- cmd.exe (PID: 8128)
- cmd.exe (PID: 7404)
- cmd.exe (PID: 6336)
- cmd.exe (PID: 3004)
- cmd.exe (PID: 6404)
- cmd.exe (PID: 7672)
- cmd.exe (PID: 1252)
- cmd.exe (PID: 4316)
- cmd.exe (PID: 7496)
- cmd.exe (PID: 3508)
- cmd.exe (PID: 8148)
- cmd.exe (PID: 7960)
- cmd.exe (PID: 7992)
- cmd.exe (PID: 3396)
- cmd.exe (PID: 7400)
- cmd.exe (PID: 5356)
- cmd.exe (PID: 4568)
- cmd.exe (PID: 7136)
- cmd.exe (PID: 7096)
- cmd.exe (PID: 7112)
- cmd.exe (PID: 1376)
- cmd.exe (PID: 7416)
- cmd.exe (PID: 5748)
- cmd.exe (PID: 8084)
- cmd.exe (PID: 7792)
- cmd.exe (PID: 7464)
- cmd.exe (PID: 6416)
- cmd.exe (PID: 7048)
- cmd.exe (PID: 7256)
- cmd.exe (PID: 7908)
- cmd.exe (PID: 5932)
- cmd.exe (PID: 5284)
- cmd.exe (PID: 5172)
- cmd.exe (PID: 7996)
- cmd.exe (PID: 8056)
- cmd.exe (PID: 7476)
- cmd.exe (PID: 7276)
- cmd.exe (PID: 7216)
- cmd.exe (PID: 3772)
- cmd.exe (PID: 1792)
- cmd.exe (PID: 7980)
- cmd.exe (PID: 2312)
- cmd.exe (PID: 5048)
- cmd.exe (PID: 7764)
- cmd.exe (PID: 5284)
- cmd.exe (PID: 8064)
- cmd.exe (PID: 7672)
- cmd.exe (PID: 6136)
- cmd.exe (PID: 7860)
- cmd.exe (PID: 3568)
- cmd.exe (PID: 7232)
- cmd.exe (PID: 3396)
- cmd.exe (PID: 7472)
- cmd.exe (PID: 8172)
Starts CMD.EXE for commands execution
- SHProto.exe (PID: 6696)
- SHProto.exe (PID: 608)
- SHProto.exe (PID: 2648)
- SHProto.exe (PID: 1252)
- SHProto.exe (PID: 5220)
- SHProto.exe (PID: 6432)
- SHProto.exe (PID: 6400)
- SHProto.exe (PID: 6392)
- SHProto.exe (PID: 6344)
- SHProto.exe (PID: 5328)
- SHProto.exe (PID: 4224)
- SHProto.exe (PID: 1204)
- SHProto.exe (PID: 7188)
- SHProto.exe (PID: 7848)
- SHProto.exe (PID: 6704)
- SHProto.exe (PID: 7916)
- SHProto.exe (PID: 7408)
- SHProto.exe (PID: 7340)
- SHProto.exe (PID: 7920)
- SHProto.exe (PID: 5036)
- SHProto.exe (PID: 7860)
- SHProto.exe (PID: 7784)
- SHProto.exe (PID: 7836)
- SHProto.exe (PID: 1176)
- SHProto.exe (PID: 7804)
- SHProto.exe (PID: 8000)
- SHProto.exe (PID: 6432)
- SHProto.exe (PID: 7972)
- SHProto.exe (PID: 7484)
- SHProto.exe (PID: 7180)
- SHProto.exe (PID: 1784)
- SHProto.exe (PID: 7964)
- SHProto.exe (PID: 5580)
- SHProto.exe (PID: 6124)
- SHProto.exe (PID: 6740)
- SHProto.exe (PID: 696)
- SHProto.exe (PID: 8184)
- SHProto.exe (PID: 7424)
- SHProto.exe (PID: 3828)
- SHProto.exe (PID: 8080)
- SHProto.exe (PID: 7280)
- SHProto.exe (PID: 6668)
- SHProto.exe (PID: 8072)
- SHProto.exe (PID: 5952)
- SHProto.exe (PID: 7424)
- SHProto.exe (PID: 5324)
- SHProto.exe (PID: 1376)
- SHProto.exe (PID: 7188)
- SHProto.exe (PID: 7632)
- SHProto.exe (PID: 5524)
- SHProto.exe (PID: 6212)
- SHProto.exe (PID: 7152)
- SHProto.exe (PID: 2736)
- SHProto.exe (PID: 7932)
- SHProto.exe (PID: 6196)
- SHProto.exe (PID: 7136)
- SHProto.exe (PID: 8040)
- SHProto.exe (PID: 8172)
- SHProto.exe (PID: 616)
- SHProto.exe (PID: 7656)
- SHProto.exe (PID: 4224)
- SHProto.exe (PID: 2312)
- SHProto.exe (PID: 7256)
- SHProto.exe (PID: 7952)
- SHProto.exe (PID: 5792)
- SHProto.exe (PID: 4868)
- SHProto.exe (PID: 7604)
- SHProto.exe (PID: 8172)
- SHProto.exe (PID: 8148)
- SHProto.exe (PID: 7084)
- SHProto.exe (PID: 7792)
- SHProto.exe (PID: 6832)
- SHProto.exe (PID: 6260)
- SHProto.exe (PID: 3912)
- SHProto.exe (PID: 7504)
- SHProto.exe (PID: 2484)
- SHProto.exe (PID: 7908)
- SHProto.exe (PID: 6408)
- SHProto.exe (PID: 1792)
- SHProto.exe (PID: 8072)
- SHProto.exe (PID: 7788)
- SHProto.exe (PID: 7936)
- SHProto.exe (PID: 4568)
- SHProto.exe (PID: 6468)
- SHProto.exe (PID: 7540)
- SHProto.exe (PID: 4448)
- SHProto.exe (PID: 6200)
- SHProto.exe (PID: 2056)
- SHProto.exe (PID: 4072)
- SHProto.exe (PID: 5860)
- SHProto.exe (PID: 2416)
- SHProto.exe (PID: 7880)
- SHProto.exe (PID: 7876)
- SHProto.exe (PID: 8024)
- SHProto.exe (PID: 7148)
- SHProto.exe (PID: 7892)
- SHProto.exe (PID: 5792)
- SHProto.exe (PID: 8112)
- SHProto.exe (PID: 3728)
- SHProto.exe (PID: 7908)
- SHProto.exe (PID: 7968)
- SHProto.exe (PID: 7780)
- SHProto.exe (PID: 6180)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 6584)
- cmd.exe (PID: 6848)
- cmd.exe (PID: 7096)
- cmd.exe (PID: 6328)
- cmd.exe (PID: 6136)
- cmd.exe (PID: 4436)
- cmd.exe (PID: 1568)
- cmd.exe (PID: 6300)
- cmd.exe (PID: 6432)
- cmd.exe (PID: 1700)
- cmd.exe (PID: 4408)
- cmd.exe (PID: 7212)
- cmd.exe (PID: 7480)
- cmd.exe (PID: 7888)
- cmd.exe (PID: 6824)
- cmd.exe (PID: 2312)
- cmd.exe (PID: 1784)
- cmd.exe (PID: 7340)
- cmd.exe (PID: 6692)
- cmd.exe (PID: 8172)
- cmd.exe (PID: 6124)
- cmd.exe (PID: 7908)
- cmd.exe (PID: 5900)
- cmd.exe (PID: 6540)
- cmd.exe (PID: 7352)
- cmd.exe (PID: 8092)
- cmd.exe (PID: 7540)
- cmd.exe (PID: 7136)
- cmd.exe (PID: 6236)
- cmd.exe (PID: 7244)
- cmd.exe (PID: 3008)
- cmd.exe (PID: 7468)
- cmd.exe (PID: 1068)
- cmd.exe (PID: 6044)
- cmd.exe (PID: 8084)
- cmd.exe (PID: 6368)
- cmd.exe (PID: 4304)
- cmd.exe (PID: 6884)
- cmd.exe (PID: 7936)
- cmd.exe (PID: 6816)
- cmd.exe (PID: 6124)
- cmd.exe (PID: 8132)
- cmd.exe (PID: 7040)
- cmd.exe (PID: 7508)
- cmd.exe (PID: 3912)
- cmd.exe (PID: 5912)
- cmd.exe (PID: 5084)
- cmd.exe (PID: 8036)
- cmd.exe (PID: 7404)
- cmd.exe (PID: 3004)
- cmd.exe (PID: 300)
- cmd.exe (PID: 6336)
- cmd.exe (PID: 1252)
- cmd.exe (PID: 6404)
- cmd.exe (PID: 8128)
- cmd.exe (PID: 7672)
- cmd.exe (PID: 3508)
- cmd.exe (PID: 4316)
- cmd.exe (PID: 7496)
- cmd.exe (PID: 8148)
- cmd.exe (PID: 7960)
- cmd.exe (PID: 7400)
- cmd.exe (PID: 7136)
- cmd.exe (PID: 7096)
- cmd.exe (PID: 5356)
- cmd.exe (PID: 3396)
- cmd.exe (PID: 7992)
- cmd.exe (PID: 7112)
- cmd.exe (PID: 1376)
- cmd.exe (PID: 7416)
- cmd.exe (PID: 4568)
- cmd.exe (PID: 5748)
- cmd.exe (PID: 8084)
- cmd.exe (PID: 7792)
- cmd.exe (PID: 7464)
- cmd.exe (PID: 7048)
- cmd.exe (PID: 6416)
- cmd.exe (PID: 5932)
- cmd.exe (PID: 7256)
- cmd.exe (PID: 7908)
- cmd.exe (PID: 5284)
- cmd.exe (PID: 5172)
- cmd.exe (PID: 7996)
- cmd.exe (PID: 8056)
- cmd.exe (PID: 1792)
- cmd.exe (PID: 7476)
- cmd.exe (PID: 7276)
- cmd.exe (PID: 3772)
- cmd.exe (PID: 7764)
- cmd.exe (PID: 7980)
- cmd.exe (PID: 2312)
- cmd.exe (PID: 7216)
- cmd.exe (PID: 8064)
- cmd.exe (PID: 7672)
- cmd.exe (PID: 6136)
- cmd.exe (PID: 5048)
- cmd.exe (PID: 5284)
- cmd.exe (PID: 3396)
- cmd.exe (PID: 7860)
- cmd.exe (PID: 3568)
- cmd.exe (PID: 7232)
- cmd.exe (PID: 8172)
- cmd.exe (PID: 7472)
INFO
Checks supported languages
- SHProto.exe (PID: 6696)
- system.exe (PID: 300)
- SHProto.exe (PID: 608)
- system.exe (PID: 5084)
- SHProto.exe (PID: 2648)
- system.exe (PID: 7048)
- SHProto.exe (PID: 1252)
- system.exe (PID: 6340)
- SHProto.exe (PID: 6432)
- system.exe (PID: 6200)
- SHProto.exe (PID: 6400)
- system.exe (PID: 5920)
- SHProto.exe (PID: 5220)
- system.exe (PID: 4312)
- SHProto.exe (PID: 6392)
- SHProto.exe (PID: 6344)
- system.exe (PID: 5524)
- system.exe (PID: 3848)
- SHProto.exe (PID: 5328)
- system.exe (PID: 1200)
- SHProto.exe (PID: 4224)
- SHProto.exe (PID: 1204)
- system.exe (PID: 540)
- SHProto.exe (PID: 7408)
- system.exe (PID: 7392)
- system.exe (PID: 4224)
- SHProto.exe (PID: 7188)
Create files in a temporary directory
- SHProto.exe (PID: 6696)
Reads the computer name
- SHProto.exe (PID: 6696)
- SHProto.exe (PID: 608)
- SHProto.exe (PID: 2648)
- system.exe (PID: 300)
- system.exe (PID: 5084)
- system.exe (PID: 7048)
- system.exe (PID: 6340)
- SHProto.exe (PID: 6432)
- SHProto.exe (PID: 1252)
- system.exe (PID: 5920)
- SHProto.exe (PID: 5220)
- system.exe (PID: 6200)
- system.exe (PID: 4312)
- SHProto.exe (PID: 6400)
- SHProto.exe (PID: 6392)
- SHProto.exe (PID: 6344)
- system.exe (PID: 5524)
- system.exe (PID: 3848)
- SHProto.exe (PID: 5328)
- system.exe (PID: 1200)
- SHProto.exe (PID: 1204)
- SHProto.exe (PID: 4224)
- system.exe (PID: 540)
- SHProto.exe (PID: 7188)
- system.exe (PID: 7392)
- system.exe (PID: 4224)
- SHProto.exe (PID: 7408)
Process checks computer location settings
- SHProto.exe (PID: 6696)
- SHProto.exe (PID: 608)
- SHProto.exe (PID: 2648)
- SHProto.exe (PID: 6432)
- SHProto.exe (PID: 1252)
- SHProto.exe (PID: 5220)
- SHProto.exe (PID: 6400)
- SHProto.exe (PID: 6392)
- SHProto.exe (PID: 6344)
- SHProto.exe (PID: 5328)
- SHProto.exe (PID: 1204)
- SHProto.exe (PID: 4224)
- SHProto.exe (PID: 7188)
- SHProto.exe (PID: 7408)
The process uses the downloaded file
- SHProto.exe (PID: 6696)
- SHProto.exe (PID: 608)
- SHProto.exe (PID: 2648)
- SHProto.exe (PID: 6432)
- SHProto.exe (PID: 1252)
- SHProto.exe (PID: 5220)
- SHProto.exe (PID: 6392)
- SHProto.exe (PID: 6400)
- SHProto.exe (PID: 6344)
- SHProto.exe (PID: 5328)
- SHProto.exe (PID: 1204)
- SHProto.exe (PID: 4224)
- SHProto.exe (PID: 7188)
- SHProto.exe (PID: 7408)
Creates files or folders in the user directory
- system.exe (PID: 3848)
- system.exe (PID: 6200)
Mpress packer has been detected
- system.exe (PID: 4312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ 4.x (69.9) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (14.3) |
| .scr | | | Windows screen saver (6.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (3.4) |
| .exe | | | Win32 Executable (generic) (2.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2013:06:15 16:44:28+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 5.12 |
| CodeSize: | 3584 |
| InitializedDataSize: | 2839552 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1ae1 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | Private build |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileVersion: | 1.0.0.0 (01/10/2024) |
| ProductVersion: | 1.0.0.0 |
| OriginalFileName: | SHProto.exe |
| InternalName: | SHProto.exe |
| FileDescription: | SilentHill |
| CompanyName: | Konami |
| LegalCopyright: | (c) 2024 Konami Digital Entertainment |
| ProductName: | SilentHill |
| PrivateBuild: | Built by: builder |
Total processes
646
Monitored processes
522
Malicious processes
48
Suspicious processes
54
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 204 | ping -n 3 127.0.0.1 | C:\Windows\SysWOW64\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 300 | "C:\Users\admin\AppData\Local\Temp\system.exe" | C:\Users\admin\AppData\Local\Temp\system.exe | SHProto.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: svchost Exit code: 4294967295 Version: 1.0.0.0 Modules
| |||||||||||||||
| 300 | ping -n 3 127.0.0.1 | C:\Windows\SysWOW64\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) | |||||||||||||||
| 300 | "C:\WINDOWS\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\admin\AppData\Local\Temp\SHProto.exe" "C:\Users\admin\AppData\Local\Temp\SHProto.exe" >> NUL | C:\Windows\SysWOW64\cmd.exe | — | SHProto.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) | |||||||||||||||
| 512 | "C:\Users\admin\AppData\Local\Temp\system.exe" | C:\Users\admin\AppData\Local\Temp\system.exe | — | SHProto.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: svchost Exit code: 4294967295 Version: 1.0.0.0 | |||||||||||||||
| 512 | "C:\Users\admin\AppData\Local\Temp\system.exe" | C:\Users\admin\AppData\Local\Temp\system.exe | — | SHProto.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: svchost Exit code: 4294967295 Version: 1.0.0.0 | |||||||||||||||
| 540 | "C:\Users\admin\AppData\Local\Temp\system.exe" | C:\Users\admin\AppData\Local\Temp\system.exe | SHProto.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: svchost Exit code: 4294967295 Version: 1.0.0.0 Modules
| |||||||||||||||
| 540 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) | |||||||||||||||
| 608 | "C:\Users\admin\AppData\Local\Temp\SHProto.exe" | C:\Users\admin\AppData\Local\Temp\SHProto.exe | — | SHProto.exe | |||||||||||
User: admin Company: Konami Integrity Level: MEDIUM Description: SilentHill Exit code: 0 Version: 1.0.0.0 (01/10/2024) Modules
| |||||||||||||||
| 612 | "C:\Users\admin\AppData\Local\Temp\system.exe" | C:\Users\admin\AppData\Local\Temp\system.exe | — | SHProto.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: svchost Exit code: 4294967295 Version: 1.0.0.0 | |||||||||||||||
Total events
13 462
Read events
13 447
Write events
15
Delete events
0
Modification events
| (PID) Process: | (3848) system.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Driver |
Value: C:\Users\admin\AppData\Roaming\Sysfiles\system.exe | |||
| (PID) Process: | (1200) system.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Driver |
Value: C:\Users\admin\AppData\Roaming\Sysfiles\system.exe | |||
| (PID) Process: | (540) system.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Driver |
Value: C:\Users\admin\AppData\Roaming\Sysfiles\system.exe | |||
| (PID) Process: | (4224) system.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Driver |
Value: C:\Users\admin\AppData\Roaming\Sysfiles\system.exe | |||
| (PID) Process: | (4312) system.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Driver |
Value: C:\Users\admin\AppData\Roaming\Sysfiles\system.exe | |||
| (PID) Process: | (7392) system.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Driver |
Value: C:\Users\admin\AppData\Roaming\Sysfiles\system.exe | |||
| (PID) Process: | (6200) system.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Driver |
Value: C:\Users\admin\AppData\Roaming\Sysfiles\system.exe | |||
| (PID) Process: | (5920) system.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Driver |
Value: C:\Users\admin\AppData\Roaming\Sysfiles\system.exe | |||
| (PID) Process: | (6340) system.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Driver |
Value: C:\Users\admin\AppData\Roaming\Sysfiles\system.exe | |||
| (PID) Process: | (7048) system.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Driver |
Value: C:\Users\admin\AppData\Roaming\Sysfiles\system.exe | |||
Executable files
4
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7452 | system.exe | — | ||
MD5:— | SHA256:— | |||
| 6564 | system.exe | — | ||
MD5:— | SHA256:— | |||
| 7824 | system.exe | — | ||
MD5:— | SHA256:— | |||
| 6936 | system.exe | — | ||
MD5:— | SHA256:— | |||
| 7172 | system.exe | — | ||
MD5:— | SHA256:— | |||
| 6892 | system.exe | — | ||
MD5:— | SHA256:— | |||
| 7988 | system.exe | — | ||
MD5:— | SHA256:— | |||
| 5952 | system.exe | — | ||
MD5:— | SHA256:— | |||
| 7136 | system.exe | — | ||
MD5:— | SHA256:— | |||
| 6432 | system.exe | — | ||
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
37
DNS requests
16
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5824 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.16.164.81:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
6944 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5488 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 2.16.164.81:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
— | — | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 2.23.209.131:443 | — | Akamai International B.V. | GB | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5824 | svchost.exe | 40.126.31.69:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5824 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |