File name:

trow.exe

Full analysis: https://app.any.run/tasks/81ba0db1-2ddf-4295-b29a-b5e5a1cb1b26
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: February 05, 2022, 04:37:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
sinkhole
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FB75D4F81BE51074BB4147E781E5B402

SHA1:

55E512EBFE4F3A08A66C35500506837AD2C473C8

SHA256:

94A0A09EE6A21526AC34D41EABF4BA603E9A30C26E6A1DC072FF45749DFB1FE1

SSDEEP:

6144:8osPOD0a/5Qf7I6+ucf6/kR5/J4afNo9b:8osI0M5QJdQbR5SafNcb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • trow.exe (PID: 3540)
      • svchost.exe (PID: 4068)
      • svchost.exe (PID: 2052)
      • svchost.exe (PID: 3420)
      • svchost.exe (PID: 3512)
      • svchost.exe (PID: 2596)

    • Uses SVCHOST.EXE for hidden code execution

      • svchost.exe (PID: 2200)
      • trow.exe (PID: 3540)
      • svchost.exe (PID: 3688)

    • Connects to CnC server

      • trow.exe (PID: 3540)
      • svchost.exe (PID: 4068)
      • svchost.exe (PID: 3512)
      • svchost.exe (PID: 3420)
      • svchost.exe (PID: 2052)
      • svchost.exe (PID: 1668)
      • svchost.exe (PID: 2596)
      • svchost.exe (PID: 1484)
      • svchost.exe (PID: 3100)

  • SUSPICIOUS

    • Reads the computer name

      • trow.exe (PID: 3540)

    • Checks supported languages

      • trow.exe (PID: 3540)

    • Creates files in the user directory

      • trow.exe (PID: 3540)
      • svchost.exe (PID: 1484)
      • svchost.exe (PID: 3512)
      • svchost.exe (PID: 2596)
      • svchost.exe (PID: 1668)
      • svchost.exe (PID: 4068)
      • svchost.exe (PID: 3100)
      • svchost.exe (PID: 3420)

    • Executable content was dropped or overwritten

      • trow.exe (PID: 3540)

    • Drops a file that was compiled in debug mode

      • trow.exe (PID: 3540)

    • Application launched itself

      • svchost.exe (PID: 2200)
      • svchost.exe (PID: 3688)

  • INFO

    • Checks supported languages

      • svchost.exe (PID: 2200)
      • svchost.exe (PID: 3688)
      • svchost.exe (PID: 4068)
      • svchost.exe (PID: 2052)
      • svchost.exe (PID: 3512)
      • svchost.exe (PID: 3420)
      • svchost.exe (PID: 2596)
      • svchost.exe (PID: 1484)
      • svchost.exe (PID: 1668)
      • svchost.exe (PID: 3100)

    • Reads the computer name

      • svchost.exe (PID: 3420)
      • svchost.exe (PID: 3512)
      • svchost.exe (PID: 4068)
      • svchost.exe (PID: 2052)
      • svchost.exe (PID: 1668)
      • svchost.exe (PID: 3100)
      • svchost.exe (PID: 2596)
      • svchost.exe (PID: 1484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

ProductVersion: 7.8.52.7
FileVersion: 7.8.52.7
ProductName: Pedals
Languages: English
OriginalFileName: Pedals.exe
LegalCopyright: Copyright © 2013. All rights reserved. UBTECH Robotics
LegalTrademarks: Copyright © 2013. All rights reserved. UBTECH Robotics
FileDescription: Powershell Fuse 694 Interplay
Comments: Powershell Fuse 694 Interplay
CompanyName: UBTECH Robotics
AssemblyVersion: 7.8.52.7
InternalName: Pedals
PrivateBuild: 7.8.52.7
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 7.8.52.7
FileVersionNumber: 7.8.52.7
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0xcf09
UninitializedDataSize: -
InitializedDataSize: 195584
CodeSize: 134144
LinkerVersion: 9
PEType: PE32
TimeStamp: 2017:06:27 10:21:16+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 27-Jun-2017 08:21:16
Detected languages:
  • English - United States
Debug artifacts:
  • C:\work\cr\evgen\cpp\six\six\release\six.pdb
PrivateBuild: 7.8.52.7
InternalName: Pedals
Assembly Version: 7.8.52.7
CompanyName: UBTECH Robotics
Comments: Powershell Fuse 694 Interplay
FileDescription: Powershell Fuse 694 Interplay
LegalTrademarks: Copyright © 2013. All rights reserved. UBTECH Robotics
LegalCopyright: Copyright © 2013. All rights reserved. UBTECH Robotics
OriginalFilename: Pedals.exe
Languages: English
ProductName: Pedals
FileVersion: 7.8.52.7
ProductVersion: 7.8.52.7

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 27-Jun-2017 08:21:16
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00020B02
0x00020C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.78041
.rdata
0x00022000
0x000050CA
0x00005200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.33078
.data
0x00028000
0x000037E8
0x00001C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.42469
.rsrc
0x0002C000
0x00028DC8
0x00028E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.25105

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.13549
1539
Latin 1 / Western European
English - United States
RT_MANIFEST
2
5.55262
38056
Latin 1 / Western European
English - United States
RT_ICON
3
5.61388
21640
Latin 1 / Western European
English - United States
RT_ICON
101
2.50471
34
Latin 1 / Western European
English - United States
RT_GROUP_ICON
3337
7.97851
60115
Latin 1 / Western European
English - United States
RCDATA
4346
7.97973
24340
Latin 1 / Western European
English - United States
RCDATA
10142
1.24218
80
Latin 1 / Western European
English - United States
RT_BITMAP
10574
5.53392
1744
Latin 1 / Western European
English - United States
RT_BITMAP
IDP_16_WEBBROWSER_NETSCAPEBROWSER
7.66203
702
Latin 1 / Western European
English - United States
NPNG
IDP_STYLER_BTNTITLECLOSENORMAL
7.66042
735
Latin 1 / Western European
English - United States
NPNG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
IPHLPAPI.DLL
KERNEL32.dll
RPCRT4.dll
SHELL32.dll
USER32.dll
WINHTTP.dll
WTSAPI32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
11
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start trow.exe svchost.exe no specs svchost.exe svchost.exe svchost.exe no specs svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1484C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
1668C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2052C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2200C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exetrow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2596C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
3100C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
3420C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3512C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\svchost.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3540"C:\Users\admin\AppData\Local\Temp\trow.exe" C:\Users\admin\AppData\Local\Temp\trow.exe
Explorer.EXE
User:
admin
Company:
UBTECH Robotics
Integrity Level:
MEDIUM
Description:
Powershell Fuse 694 Interplay
Exit code:
0
Version:
7.8.52.7
Modules
Images
c:\users\admin\appdata\local\temp\trow.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3688C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exetrow.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
20 512
Read events
14 308
Write events
5 881
Delete events
323

Modification events

(PID) Process:(3540) trow.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:taswexuahoft
Value:
C:\Users\admin\taswexuahoft.exe
(PID) Process:(3540) trow.exeKey:HKEY_CURRENT_USER\Software\Wqebisgpwceae
Operation:writeName:Xunzopsula
Value:
8F8F8F8F8F8F8F8F8F1C1C1C1C1C1C1C
(PID) Process:(3540) trow.exeKey:HKEY_CURRENT_USER\Software\Wqebisgpwceae
Operation:writeName:taswexuahoftVermobhaco
Value:
B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2
(PID) Process:(3540) trow.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3540) trow.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3540) trow.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3540) trow.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3540) trow.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3540) trow.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3540) trow.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
1
Suspicious files
0
Text files
32
Unknown types
1

Dropped files

PID
Process
Filename
Type
3540trow.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\DO7BZHBG.txttext
MD5:
SHA256:
3540trow.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\FSY5CEJ2.txttext
MD5:
SHA256:
3540trow.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\DVMZL06W.txttext
MD5:
SHA256:
3540trow.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\YKI9B3N2.txttext
MD5:
SHA256:
3540trow.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\7S6XZD5U.txttext
MD5:
SHA256:
3540trow.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\5VNV4WRC.txttext
MD5:
SHA256:
3540trow.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\JFP9J3EU.txttext
MD5:
SHA256:
3540trow.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\AZ0R6HFG.txttext
MD5:
SHA256:
1668svchost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\K572C1C9.txttext
MD5:
SHA256:
3512svchost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\J80XX0O3.txttext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
607
TCP/UDP connections
740
DNS requests
639
Threats
548

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3540
trow.exe
POST
200
104.26.14.53:80
http://www.elpro.si/
US
html
240 Kb
malicious
3540
trow.exe
POST
64.125.133.18:80
http://www.reglera.com/
US
malicious
3540
trow.exe
POST
301
82.201.61.230:80
http://www.nelipak.nl/
NL
html
231 b
malicious
3540
trow.exe
POST
301
82.201.61.230:80
http://www.nelipak.nl/
NL
html
231 b
malicious
3540
trow.exe
POST
200
104.26.11.81:80
http://www.com-sit.com/
US
html
126 Kb
malicious
3540
trow.exe
POST
301
3.89.178.37:80
http://www.pohlfood.com/
US
malicious
3540
trow.exe
POST
301
142.250.185.179:80
http://www.depalo.com/
US
html
219 b
malicious
3540
trow.exe
POST
200
104.21.66.46:80
http://www.pcgrate.com/
US
html
126 Kb
malicious
3540
trow.exe
POST
301
217.19.237.54:80
http://www.speelhal.net/
BE
malicious
3540
trow.exe
POST
403
147.154.3.56:80
http://www.nqks.com/
US
html
928 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3540
trow.exe
104.26.14.53:80
www.elpro.si
Cloudflare Inc
US
malicious
80.74.154.6:80
www.transsib.com
METANET AG
CH
malicious
3.89.178.37:80
www.pohlfood.com
US
malicious
3540
trow.exe
148.251.33.194:80
www.mobilnic.net
Hetzner Online GmbH
DE
malicious
3540
trow.exe
104.26.11.81:80
www.com-sit.com
Cloudflare Inc
US
shared
3540
trow.exe
210.140.73.39:80
www.ex-olive.com
Yahoo Japan Corporation
JP
whitelisted
3540
trow.exe
192.124.249.20:80
www.dgmna.com
Sucuri
US
malicious
3540
trow.exe
157.112.182.239:80
www.sclover3.com
SAKURA Internet Inc.
JP
malicious
172.67.208.67:80
www.jenco.co.uk
US
malicious
147.154.3.56:80
www.nqks.com
US
malicious

DNS requests

Domain
IP
Reputation
www.elpro.si
  • 104.26.14.53
  • 172.67.70.22
  • 104.26.15.53
malicious
www.transsib.com
  • 80.74.154.6
malicious
www.sclover3.com
  • 157.112.182.239
malicious
www.reglera.com
  • 64.125.133.18
unknown
www.pohlfood.com
  • 3.89.178.37
malicious
www.nelipak.nl
  • 82.201.61.230
malicious
www.ex-olive.com
  • 210.140.73.39
malicious
www.mobilnic.net
  • 148.251.33.194
malicious
www.sjbs.org
  • 162.214.120.26
malicious
www.crcsi.org
  • 165.227.252.190
malicious

Threats

PID
Process
Class
Message
3540
trow.exe
A Network Trojan was detected
ET TROJAN Backdoor.Win32.Pushdo.s Checkin
3540
trow.exe
A Network Trojan was detected
ET TROJAN Backdoor.Win32.Pushdo.s Checkin
3540
trow.exe
A Network Trojan was detected
ET TROJAN Backdoor.Win32.Pushdo.s Checkin
3540
trow.exe
A Network Trojan was detected
ET TROJAN Backdoor.Win32.Pushdo.s Checkin
3540
trow.exe
A Network Trojan was detected
ET TROJAN Backdoor.Win32.Pushdo.s Checkin
3540
trow.exe
A Network Trojan was detected
ET TROJAN Backdoor.Win32.Pushdo.s Checkin
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
3540
trow.exe
A Network Trojan was detected
ET TROJAN Backdoor.Win32.Pushdo.s Checkin
3540
trow.exe
A Network Trojan was detected
ET TROJAN Backdoor.Win32.Pushdo.s Checkin
3540
trow.exe
A Network Trojan was detected
ET TROJAN Backdoor.Win32.Pushdo.s Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
trow.exe