File name:

2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe

Full analysis: https://app.any.run/tasks/91219a9f-f790-455e-a413-2a4ba3a83c3b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 20, 2019, 20:49:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
evasion
phishing
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C7ACE95FFEAEE79C78CE474F4C661613

SHA1:

9CC06A618E44FC529AFDAA013A3746A049414C79

SHA256:

8ECF4F11E3FF132B88D72FA3DD458E1E2D1BADFEE892FED7D855228ECC9495A1

SSDEEP:

49152:RDHZoR+KpmPggzCselSkh/IavN76fs+r31Vwg:RF0+PPggISkFN7+rFVwg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe (PID: 2800)
      • setup.exe (PID: 2880)

    • Application was dropped or rewritten from another process

      • 73.0.3683.86_73.0.3683.75_chrome_updater.exe (PID: 4028)
      • setup.exe (PID: 2880)
      • setup.exe (PID: 856)

    • Loads the Task Scheduler COM API

      • GoogleUpdate.exe (PID: 1408)

  • SUSPICIOUS

    • Creates files in the program directory

      • 2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe (PID: 2800)
      • GoogleUpdate.exe (PID: 2668)
      • setup.exe (PID: 4840)
      • setup.exe (PID: 2880)

    • Executable content was dropped or overwritten

      • GoogleUpdate.exe (PID: 2668)
      • 2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe (PID: 2800)
      • setup.exe (PID: 2880)

    • Connects to unusual port

      • 2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe (PID: 2800)

    • Creates files in the Windows directory

      • 73.0.3683.86_73.0.3683.75_chrome_updater.exe (PID: 4028)
      • setup.exe (PID: 4840)
      • GoogleUpdate.exe (PID: 4680)

    • Checks for external IP

      • 2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe (PID: 2800)

    • Connects to SMTP port

      • 2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe (PID: 2800)

    • Removes files from Windows directory

      • setup.exe (PID: 4840)
      • 73.0.3683.86_73.0.3683.75_chrome_updater.exe (PID: 4028)

    • Reads the machine GUID from the registry

      • setup.exe (PID: 2880)

    • Creates a software uninstall entry

      • setup.exe (PID: 2880)

    • Application launched itself

      • GoogleUpdate.exe (PID: 2668)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • setup.exe (PID: 2880)
      • 2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe (PID: 2800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:03:20 10:20:37+01:00
PEType: PE32
LinkerVersion: 9
CodeSize: 2129920
InitializedDataSize: 47616
UninitializedDataSize: -
EntryPoint: 0x13f0
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.7
ProductVersionNumber: 1.0.0.7
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
Comments: Tool used internally by Total Commander, do not start directly!
CompanyName: Ghisler Software GmbH
FileDescription: Total Commander 32bit->64bit helper tool
FileVersion: 1, 0, 0, 7
InternalName: Totalcmd-X64
LegalCopyright: Copyright © 2008-2016 Christian Ghisler
OriginalFileName: tcmdx64.exe
ProductName: Ghisler Software GmbH Totalcmd-X64
ProductVersion: 1, 0, 0, 7

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Mar-2019 09:20:37
Detected languages:
  • English - United States
  • German - Switzerland
Comments: Tool used internally by Total Commander, do not start directly!
CompanyName: Ghisler Software GmbH
FileDescription: Total Commander 32bit->64bit helper tool
FileVersion: 1, 0, 0, 7
InternalName: Totalcmd-X64
LegalCopyright: Copyright © 2008-2016 Christian Ghisler
OriginalFilename: tcmdx64.exe
ProductName: Ghisler Software GmbH Totalcmd-X64
ProductVersion: 1, 0, 0, 7

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 20-Mar-2019 09:20:37
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00207ED1
0x00208000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.96765
.rdata
0x00209000
0x000094AE
0x00009600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.36797
.data
0x00213000
0x000005B0
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.79713
.rsrc
0x00214000
0x001E5C48
0x00001E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.30282

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.44052
1032
UNKNOWN
German - Switzerland
RT_VERSION
2
5.03471
1384
UNKNOWN
German - Switzerland
RT_ICON
3
4.01832
744
UNKNOWN
German - Switzerland
RT_ICON
4
5.59095
2216
UNKNOWN
German - Switzerland
RT_ICON
101
2.56055
62
UNKNOWN
German - Switzerland
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
13
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start 2019-03-20-spelevo-ek-decoded-payload-from-infected-host.exe googleupdate.exe no specs googleupdate.exe 73.0.3683.86_73.0.3683.75_chrome_updater.exe no specs setup.exe no specs setup.exe no specs setup.exe setup.exe no specs googleupdate.exe no specs googleupdate.exe no specs googlecrashhandler.exe no specs googlecrashhandler64.exe no specs googleupdate.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
856C:\Windows\TEMP\CR_38BFF.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=73.0.3683.86 --initial-client-data=0xe8,0xec,0xf0,0xe4,0xf4,0x13fd78358,0x13fd78368,0x13fd78378C:\Windows\TEMP\CR_38BFF.tmp\setup.exesetup.exe
User:
SYSTEM
Company:
Google Inc.
Integrity Level:
SYSTEM
Description:
Google Chrome Installer
Exit code:
0
Version:
73.0.3683.86
Modules
Images
c:\windows\temp\cr_38bff.tmp\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1408"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /cC:\Program Files (x86)\Google\Update\GoogleUpdate.exetaskeng.exe
User:
SYSTEM
Company:
Google Inc.
Integrity Level:
SYSTEM
Description:
Google Installer
Exit code:
0
Version:
1.3.33.5
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1600"C:\Program Files (x86)\Google\Update\1.3.33.23\GoogleCrashHandler.exe"C:\Program Files (x86)\Google\Update\1.3.33.23\GoogleCrashHandler.exeGoogleUpdate.exe
User:
SYSTEM
Company:
Google Inc.
Integrity Level:
SYSTEM
Description:
Google Crash Handler
Exit code:
0
Version:
1.3.33.23
Modules
Images
c:\program files (x86)\google\update\1.3.33.23\googlecrashhandler.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2216"C:\Program Files (x86)\Google\Update\1.3.33.23\GoogleCrashHandler64.exe"C:\Program Files (x86)\Google\Update\1.3.33.23\GoogleCrashHandler64.exeGoogleUpdate.exe
User:
SYSTEM
Company:
Google Inc.
Integrity Level:
SYSTEM
Description:
Google Crash Handler
Exit code:
0
Version:
1.3.33.23
Modules
Images
c:\program files (x86)\google\update\1.3.33.23\googlecrashhandler64.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2668"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svcC:\Program Files (x86)\Google\Update\GoogleUpdate.exe
services.exe
User:
SYSTEM
Company:
Google Inc.
Integrity Level:
SYSTEM
Description:
Google Installer
Exit code:
0
Version:
1.3.33.5
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2800"C:\Users\admin\AppData\Local\Temp\2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe" C:\Users\admin\AppData\Local\Temp\2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
explorer.exe
User:
admin
Company:
Ghisler Software GmbH
Integrity Level:
MEDIUM
Description:
Total Commander 32bit->64bit helper tool
Exit code:
0
Version:
1, 0, 0, 7
Modules
Images
c:\users\admin\appdata\local\temp\2019-03-20-spelevo-ek-decoded-payload-from-infected-host.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2880"C:\Windows\TEMP\CR_38BFF.tmp\setup.exe" --install-archive="C:\Windows\TEMP\CR_38BFF.tmp\CHROME_PATCH.PACKED.7Z" --previous-version="73.0.3683.75" --verbose-logging --do-not-launch-chrome --system-levelC:\Windows\TEMP\CR_38BFF.tmp\setup.exe
73.0.3683.86_73.0.3683.75_chrome_updater.exe
User:
SYSTEM
Company:
Google Inc.
Integrity Level:
SYSTEM
Description:
Google Chrome Installer
Exit code:
0
Version:
73.0.3683.86
Modules
Images
c:\windows\temp\cr_38bff.tmp\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
2916"C:\Program Files (x86)\Google\Chrome\Application\73.0.3683.75\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0xe8,0xec,0xf0,0xe4,0xf4,0x13f258358,0x13f258368,0x13f258378C:\Program Files (x86)\Google\Chrome\Application\73.0.3683.75\Installer\setup.exesetup.exe
User:
SYSTEM
Company:
Google Inc.
Integrity Level:
SYSTEM
Description:
Google Chrome Installer
Exit code:
0
Version:
73.0.3683.75
Modules
Images
c:\program files (x86)\google\chrome\application\73.0.3683.75\installer\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
3412"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource schedulerC:\Program Files (x86)\Google\Update\GoogleUpdate.exetaskeng.exe
User:
SYSTEM
Company:
Google Inc.
Integrity Level:
SYSTEM
Description:
Google Installer
Exit code:
0
Version:
1.3.33.5
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
3944"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zMy4yMyIgc2hlbGxfdmVyc2lvbj0iMS4zLjMzLjUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjU1OUE0MjgtRDcyNS00MjUzLUJGNDgtRTI5QTYyNDAzRjZBfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins1RjMyNDc2OS0zRjE0LTRCRDctQjVBMC1BRTI3QzUxNDIwOEN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjQiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzQy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjczLjAuMzY4My43NSIgbmV4dHZlcnNpb249IjczLjAuMzY4My44NiIgX251bWFjY291bnRzPSIxIiBfbnVtc2lnbmVkaW49IjAiIGFwPSJ4NjQtc3RhYmxlLXN0YXRzZGVmXzEiIGxhbmc9InJ1IiBicmFuZD0iR0NFQSIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQwNSIgaW5zdGFsbGRhdGU9IjQwNTMiIGNvaG9ydD0iMTpndS9yMGY6IiBjb2hvcnRuYW1lPSI3M184Nl9XaW4iPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vcmVkaXJlY3Rvci5ndnQxLmNvbS9lZGdlZGwvcmVsZWFzZTIvY2hyb21lL0FPVFhFVmVRaDZIQl83My4wLjM2ODMuODYvNzMuMC4zNjgzLjg2XzczLjAuMzY4My43NV9jaHJvbWVfdXBkYXRlci5leGUiIGRvd25sb2FkZWQ9IjIzMzgwNDgiIHRvdGFsPSIyMzM4MDQ4IiBkb3dubG9hZF90aW1lX21zPSIyNTcwNCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iODQ0IiBkb3dubG9hZF90aW1lX21zPSIyNTg0MyIgZG93bmxvYWRlZD0iMjMzODA0OCIgdG90YWw9IjIzMzgwNDgiIGluc3RhbGxfdGltZV9tcz0iMTY2NDEiLz48L2FwcD48L3JlcXVlc3Q-C:\Program Files (x86)\Google\Update\GoogleUpdate.exeGoogleUpdate.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Installer
Exit code:
0
Version:
1.3.33.5
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
2 033
Read events
309
Write events
1 692
Delete events
32

Modification events

(PID) Process:(2800) 2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Windows\Configuration
Operation:writeName:i
Value:
31B5EA842832C39FA9A7
(PID) Process:(2800) 2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Windows Session Manager
Value:
"C:\ProgramData\services\csrss.exe"
(PID) Process:(2800) 2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Windows Session Manager
Value:
"C:\ProgramData\services\csrss.exe"
(PID) Process:(2800) 2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Resources\Help
Operation:writeName:id
Value:
985DB5C49C2FED395852
(PID) Process:(2800) 2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Resources\Help
Operation:writeName:fs
Value:
1
(PID) Process:(3412) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update
Operation:writeName:LastStartedAU
Value:
1553115595
(PID) Process:(2668) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState
Operation:delete keyName:
Value:
(PID) Process:(2668) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\CurrentState
Operation:delete keyName:
Value:
(PID) Process:(2668) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\PersistedPings\{BF3826E4-6E16-4BA4-82F2-A847329F97C7}
Operation:writeName:PersistedPingString
Value:
<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" updater="Omaha" updaterversion="1.3.33.23" shell_version="1.3.33.5" ismachine="1" sessionid="{F559A428-D725-4253-BF48-E29A62403F6A}" requestid="{BF3826E4-6E16-4BA4-82F2-A847329F97C7}" dedup="cr" domainjoined="0"><hw physmemory="4" sse="1" sse2="1" sse3="1" ssse3="1" sse41="1" sse42="1" avx="1"/><os platform="win" version="6.1.7601.0" sp="Service Pack 1" arch="x64"/></request>
(PID) Process:(2668) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\PersistedPings\{BF3826E4-6E16-4BA4-82F2-A847329F97C7}
Operation:writeName:PersistedPingTime
Value:
131975892165801250
Executable files
13
Suspicious files
8
Text files
34
Unknown types
65

Dropped files

PID
Process
Filename
Type
28002019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exeC:\Users\admin\AppData\Local\Temp\9P2i8FeHvz\state.tmp
MD5:
SHA256:
28002019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exeC:\Users\admin\AppData\Local\Temp\9P2i8FeHvz\unverified-microdesc-consensus.tmp
MD5:
SHA256:
28002019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exeC:\Users\admin\AppData\Local\Temp\9P2i8FeHvz\cached-certs.tmp
MD5:
SHA256:
28002019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exeC:\Users\admin\AppData\Local\Temp\9P2i8FeHvz\cached-microdesc-consensus.tmp
MD5:
SHA256:
4840setup.exeC:\Windows\TEMP\scoped_dir4840_16368\setup_patch.diff
MD5:
SHA256:
4840setup.exeC:\Windows\Temp\scoped_dir4840_16368\cb804437-440b-402f-aceb-3754209ec5e2.tmp
MD5:
SHA256:
4840setup.exeC:\Program Files (x86)\Google\Chrome\Application\SetupMetrics\cff76552-1229-4f2f-9632-7be8b6482756.tmp
MD5:
SHA256:
2880setup.exeC:\Program Files (x86)\Google\Chrome\Temp\source2880_31282\chrome_patch.chrome_diff
MD5:
SHA256:
2880setup.exeC:\Program Files (x86)\Google\Chrome\Temp\source2880_31282\ab196532-a83b-40bc-bc11-0fd2227e1c5c.tmp
MD5:
SHA256:
28002019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exeC:\Users\admin\AppData\Local\Temp\9P2I8F~1\unverified-microdesc-consensustext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4 833
TCP/UDP connections
21 623
DNS requests
76
Threats
283

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
GET
50.63.202.34:80
http://lolafinancial.com/
US
malicious
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
GET
301
94.231.103.100:80
http://klintholm-ridecenter.dk/
DK
malicious
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
GET
104.31.93.104:80
http://www.anti-abuse.org/multi-rbl-check-results/?host=136.0.0.150
US
suspicious
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
107 b
shared
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
107 b
shared
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
GET
200
104.18.34.131:80
http://whatsmyip.net/
US
html
2.96 Kb
shared
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
107 b
shared
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
107 b
shared
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
GET
503
104.31.93.104:80
http://www.anti-abuse.org/multi-rbl-check-results/?host=136.0.0.150
US
html
6.67 Kb
suspicious
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
107 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
193.23.244.244:443
Chaos Computer Club e.V.
DE
malicious
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
194.109.206.212:443
Xs4all Internet BV
NL
malicious
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
185.165.242.5:9001
Amplica Srl
MD
suspicious
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
148.251.193.183:9001
Hetzner Online GmbH
DE
suspicious
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
104.16.154.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
145.239.7.170:443
OVH SAS
GB
suspicious
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
104.18.34.131:80
whatsmyip.net
Cloudflare Inc
US
shared
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
94.100.180.160:465
smtp.mail.ru
Limited liability company Mail.Ru
RU
malicious
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
104.31.93.104:80
www.anti-abuse.org
Cloudflare Inc
US
shared
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
94.100.180.160:25
smtp.mail.ru
Limited liability company Mail.Ru
RU
malicious

DNS requests

Domain
IP
Reputation
whatismyipaddress.com
  • 104.16.154.36
  • 104.16.155.36
shared
whatsmyip.net
  • 104.18.34.131
  • 104.18.35.131
shared
2.0.0.127.zen.spamhaus.org
unknown
www.anti-abuse.org
  • 104.31.93.104
  • 104.31.92.104
suspicious
smtp.mail.ru
  • 94.100.180.160
  • 217.69.139.160
malicious
jaaree.ir
  • 162.210.101.84
unknown
klintholm-ridecenter.dk
  • 94.231.103.100
malicious
theearl.com
  • 98.137.244.36
suspicious
gidatek.com.tr
  • 85.95.237.163
unknown
xn--80anfcfhldeb0h.xn--p1ai
  • 185.26.122.29
unknown

Threats

PID
Process
Class
Message
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 285
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 283
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 152
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 156
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
2800
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
11 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2019-03-20-Spelevo-EK-decoded-payload-from-infected-host.exe