File name:

spf.exe

Full analysis: https://app.any.run/tasks/0d4197bc-912f-4c13-87f4-a709502969da
Verdict: Malicious activity
Analysis date: August 03, 2025, 20:33:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
m0yv
vmprotect
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:

17A5D05A72C3A9A578F3067075E6B84C

SHA1:

FF48E6F2C69BB3158E7FA8ABB6EFB574478E4301

SHA256:

B6B9BBB573350E11D22089D22258125D6ECD0C86D22B1975729FC9125AA1F028

SSDEEP:

98304:wuYgToyMklCJdqYibNvRt7Jg7sj9QFF4wWN08w92z+xnhveCDOA5ekYSxCcsUJxb:vFvQFi9pfJqRAR1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • stb.exe (PID: 640)
      • spf.vmp.exe (PID: 2216)
      • armsvc.exe (PID: 4880)
      • alg.exe (PID: 5904)
      • AppVClient.exe (PID: 4036)
      • FXSSVC.exe (PID: 6304)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 4264)
      • elevation_service.exe (PID: 1636)
      • updater.exe (PID: 3400)
      • updater.exe (PID: 6264)
      • updater.exe (PID: 5252)
      • updater.exe (PID: 6900)
      • elevation_service.exe (PID: 5032)
      • maintenanceservice.exe (PID: 3740)
      • updater.exe (PID: 4680)
      • PerceptionSimulationService.exe (PID: 4196)
      • updater.exe (PID: 3836)
      • msdtc.exe (PID: 5548)
      • perfhost.exe (PID: 436)
      • PSEXESVC.exe (PID: 5188)
      • FlashPlayerUpdateService.exe (PID: 3092)
      • SensorDataService.exe (PID: 7212)
      • snmptrap.exe (PID: 7284)
      • Spectrum.exe (PID: 7332)
      • ssh-agent.exe (PID: 7432)
      • vds.exe (PID: 7620)
      • VSSVC.exe (PID: 7676)
      • wbengine.exe (PID: 7740)
      • TieringEngineService.exe (PID: 7512)
      • AgentService.exe (PID: 7588)
      • SearchIndexer.exe (PID: 7856)
      • WmiApSrv.exe (PID: 7800)
      • Locator.exe (PID: 7172)

    • M0YV has been detected (YARA)

      • DiagnosticsHub.StandardCollector.Service.exe (PID: 4264)
      • GameInputSvc.exe (PID: 3936)
      • GameInputSvc.exe (PID: 7140)
      • spf.vmp.exe (PID: 2216)
      • alg.exe (PID: 5904)
      • armsvc.exe (PID: 4880)
      • elevation_service.exe (PID: 5032)
      • elevation_service.exe (PID: 1636)
      • msdtc.exe (PID: 5548)
      • PerceptionSimulationService.exe (PID: 4196)
      • perfhost.exe (PID: 436)
      • PSEXESVC.exe (PID: 5188)
      • Locator.exe (PID: 7172)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • spf.exe (PID: 2348)
      • spf.vmp.exe (PID: 2216)

    • Reads security settings of Internet Explorer

      • spf.exe (PID: 2348)

    • Executes as Windows Service

      • armsvc.exe (PID: 4880)
      • FlashPlayerUpdateService.exe (PID: 3092)
      • AppVClient.exe (PID: 4036)
      • alg.exe (PID: 5904)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 4264)
      • MicrosoftEdgeUpdate.exe (PID: 1204)
      • FXSSVC.exe (PID: 6304)
      • GameInputSvc.exe (PID: 3936)
      • updater.exe (PID: 6264)
      • updater.exe (PID: 4680)
      • maintenanceservice.exe (PID: 3740)
      • msdtc.exe (PID: 5548)
      • perfhost.exe (PID: 436)
      • PerceptionSimulationService.exe (PID: 4196)
      • PSEXESVC.exe (PID: 5188)
      • Locator.exe (PID: 7172)
      • snmptrap.exe (PID: 7284)
      • SensorDataService.exe (PID: 7212)
      • Spectrum.exe (PID: 7332)
      • VSSVC.exe (PID: 7676)
      • AgentService.exe (PID: 7588)
      • TieringEngineService.exe (PID: 7512)
      • wbengine.exe (PID: 7740)
      • vds.exe (PID: 7620)
      • WmiApSrv.exe (PID: 7800)
      • ssh-agent.exe (PID: 7432)

    • Process drops legitimate windows executable

      • spf.vmp.exe (PID: 2216)

    • Application launched itself

      • GameInputSvc.exe (PID: 3936)
      • updater.exe (PID: 6264)
      • updater.exe (PID: 5252)
      • updater.exe (PID: 4680)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 8124)

    • Starts CMD.EXE for commands execution

      • spf.vmp.exe (PID: 2216)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 8140)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 6408)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 1212)

  • INFO

    • Checks supported languages

      • spf.exe (PID: 2348)
      • stb.exe (PID: 640)
      • spf.vmp.exe (PID: 2216)
      • FlashPlayerUpdateService.exe (PID: 3092)
      • MicrosoftEdgeUpdate.exe (PID: 1204)
      • updater.exe (PID: 6264)
      • updater.exe (PID: 3400)
      • updater.exe (PID: 5252)
      • elevation_service.exe (PID: 1636)
      • updater.exe (PID: 6900)
      • elevation_service.exe (PID: 5032)
      • updater.exe (PID: 4680)
      • maintenanceservice.exe (PID: 3740)
      • updater.exe (PID: 3836)
      • PSEXESVC.exe (PID: 5188)
      • armsvc.exe (PID: 4880)
      • ssh-agent.exe (PID: 7432)

    • Reads the computer name

      • spf.exe (PID: 2348)
      • stb.exe (PID: 640)
      • spf.vmp.exe (PID: 2216)
      • armsvc.exe (PID: 4880)
      • elevation_service.exe (PID: 1636)
      • updater.exe (PID: 6264)
      • updater.exe (PID: 3400)
      • updater.exe (PID: 5252)
      • updater.exe (PID: 6900)
      • updater.exe (PID: 4680)
      • elevation_service.exe (PID: 5032)
      • maintenanceservice.exe (PID: 3740)
      • updater.exe (PID: 3836)
      • PSEXESVC.exe (PID: 5188)
      • FlashPlayerUpdateService.exe (PID: 3092)
      • ssh-agent.exe (PID: 7432)

    • Create files in a temporary directory

      • spf.exe (PID: 2348)

    • Process checks computer location settings

      • spf.exe (PID: 2348)

    • Creates files or folders in the user directory

      • spf.vmp.exe (PID: 2216)

    • The sample compiled with english language support

      • spf.vmp.exe (PID: 2216)

    • Creates files in the program directory

      • FXSSVC.exe (PID: 6304)
      • maintenanceservice.exe (PID: 3740)
      • SearchIndexer.exe (PID: 7856)

    • Executes as Windows Service

      • elevation_service.exe (PID: 1636)
      • elevation_service.exe (PID: 5032)
      • SearchIndexer.exe (PID: 7856)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 6264)
      • updater.exe (PID: 5252)
      • updater.exe (PID: 4680)

    • Reads the software policy settings

      • GameInputSvc.exe (PID: 7140)
      • slui.exe (PID: 2028)

    • Checks transactions between databases Windows and Oracle

      • msdtc.exe (PID: 5548)

    • Checks proxy server information

      • spf.vmp.exe (PID: 2216)
      • slui.exe (PID: 2028)

    • Reads the time zone

      • TieringEngineService.exe (PID: 7512)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 8140)
      • WMIC.exe (PID: 1212)
      • SearchProtocolHost.exe (PID: 1468)

    • The sample compiled with bulgarian language support

      • spf.vmp.exe (PID: 2216)

    • VMProtect protector has been detected

      • spf.vmp.exe (PID: 2216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 2048
InitializedDataSize: 5183488
UninitializedDataSize: -
EntryPoint: 0x1475
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
182
Monitored processes
48
Malicious processes
36
Suspicious processes
0

Behavior graph

Click at the process to see the details
start spf.exe #M0YV spf.vmp.exe conhost.exe no specs #M0YV stb.exe no specs #M0YV armsvc.exe #M0YV flashplayerupdateservice.exe no specs #M0YV alg.exe no specs #M0YV appvclient.exe no specs #M0YV diagnosticshub.standardcollector.service.exe no specs microsoftedgeupdate.exe no specs #M0YV fxssvc.exe no specs #M0YV gameinputsvc.exe no specs #M0YV gameinputsvc.exe no specs #M0YV elevation_service.exe no specs #M0YV updater.exe no specs #M0YV updater.exe no specs #M0YV updater.exe no specs #M0YV elevation_service.exe no specs #M0YV updater.exe no specs #M0YV updater.exe no specs #M0YV maintenanceservice.exe no specs #M0YV updater.exe no specs #M0YV msdtc.exe no specs #M0YV perceptionsimulationservice.exe no specs #M0YV perfhost.exe no specs #M0YV psexesvc.exe no specs #M0YV locator.exe no specs #M0YV sensordataservice.exe no specs #M0YV snmptrap.exe no specs #M0YV spectrum.exe no specs #M0YV ssh-agent.exe no specs #M0YV tieringengineservice.exe no specs #M0YV agentservice.exe no specs #M0YV vds.exe no specs #M0YV vssvc.exe no specs #M0YV wbengine.exe no specs #M0YV wmiapsrv.exe no specs #M0YV searchindexer.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs svchost.exe slui.exe searchprotocolhost.exe no specs searchfilterhost.exe no specs spf.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
436C:\WINDOWS\SysWow64\perfhost.exeC:\Windows\SysWOW64\perfhost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
x86 Performance Counter Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\perfhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll
640"C:\Users\admin\AppData\Local\Temp\stb.exe" C:\Users\admin\AppData\Local\Temp\stb.exe
spf.exe
User:
admin
Integrity Level:
HIGH
Exit code:
280539127
Modules
Images
c:\users\admin\appdata\local\temp\stb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\win32u.dll
c:\windows\system32\wininet.dll
1100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exespf.vmp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1204"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svcC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Edge Update
Exit code:
2147748608
Version:
1.3.147.37
Modules
Images
c:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1212wmic csproduct get uuidC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1468"C:\WINDOWS\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1636"C:\Program Files\Google\Chrome\Application\133.0.6943.127\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.127\elevation_service.exe
services.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Chrome
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\133.0.6943.127\elevation_service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2028C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2216"C:\Users\admin\AppData\Local\Temp\spf.vmp.exe" C:\Users\admin\AppData\Local\Temp\spf.vmp.exe
spf.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\spf.vmp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
17 555
Read events
17 477
Write events
54
Delete events
24

Modification events

(PID) Process:(4880) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM
Operation:writeName:iLastSvcSuccess
Value:
1632000
(PID) Process:(6304) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:Password
Value:
00
(PID) Process:(6304) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:delete valueName:Password
Value:
(PID) Process:(6304) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:Server
Value:
(PID) Process:(6304) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:From
Value:
(PID) Process:(6304) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:User
Value:
(PID) Process:(6304) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax
Operation:writeName:RedirectionGuard
Value:
1
(PID) Process:(7856) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003eb
Value:

(PID) Process:(7856) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Operation:delete valueName:000003eb
Value:
(PID) Process:(7856) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003f5
Value:

Executable files
144
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2216spf.vmp.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeexecutable
MD5:E3EA3DE209209E8932C24FD7FB4EDFA5
SHA256:B3B1C0E4917371098CE2E1261E1B4F713DCD970B2B5218C8F67072697C346A8D
2216spf.vmp.exeC:\Windows\System32\alg.exeexecutable
MD5:687042F9E4EA55B9D0CEB0C02FD6365F
SHA256:07E4A0D90D67A501E28D505DEE32862A5B23074A5883BAB4585CE87EA07C845D
2348spf.exeC:\Users\admin\AppData\Local\Temp\spf.vmp.exeexecutable
MD5:4032425007B9753FD4F5739270789F29
SHA256:5B51BDFBF8A00B5B06731E1A5ABE4B0872F2924681FFE597AF59C01BF7100A84
4880armsvc.exeC:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:FBE991102A03A2EE56AE0644ADFDFBB3
SHA256:70C29124A54E68186CA1F6AF84EB78B07C679B62138E5EFD1C5D00162D30A91E
2216spf.vmp.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:0EF962F1B2845E991059AEF9DCA8D617
SHA256:3F21EA844AE01619D1F6BF6721639D2F12FE65364515F01BDCE700011976CC44
2348spf.exeC:\Users\admin\AppData\Local\Temp\stb.exeexecutable
MD5:F805640B07793D959B67A53DF7CF3954
SHA256:00830A15E497A4A24CFBA9D5B9DC03F4363A7795ABE3038FFB2B1A6A23B3A116
2216spf.vmp.exeC:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\elevation_service.exeexecutable
MD5:A1AF38F862619074A5D6A42DA72C5F5C
SHA256:E9688BD57F96D8E63F114E66B57E5E8E18DC599D59A37D52258A35A18D30C46E
2216spf.vmp.exeC:\Program Files\Google\Chrome\Application\133.0.6943.127\elevation_service.exeexecutable
MD5:A339655F8099A2B03C9B9D72F0DF0BA9
SHA256:D8AB8641DE1F3E4C5CC4CC54F81B28392DC99159B900D3C445D528AFFE39D909
2216spf.vmp.exeC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeexecutable
MD5:3322B4493C026C4762EC1A4A41929BBF
SHA256:1A7E9D83F8F700F3AF35BA642FFE6E9C95F02C86BECA651DB31CF7D0BF10235E
2216spf.vmp.exeC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeexecutable
MD5:FE6E0D1EC2CDD94020D3F63F90A835A5
SHA256:3859B5FE6E0351A33B3036D44FA684BE1B42B3F67EF0F967E4ED00964514C198
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
103
TCP/UDP connections
100
DNS requests
91
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4160
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4880
armsvc.exe
POST
200
44.244.22.128:80
http://pywolwnvd.biz/eltdssmxggy
unknown
malicious
2216
spf.vmp.exe
POST
200
44.244.22.128:80
http://pywolwnvd.biz/lvkfekgx
unknown
malicious
2216
spf.vmp.exe
POST
200
50.16.27.236:80
http://ssbzmoy.biz/uiwtefbqnf
unknown
unknown
4880
armsvc.exe
POST
200
50.16.27.236:80
http://ssbzmoy.biz/if
unknown
unknown
2216
spf.vmp.exe
POST
200
44.244.22.128:80
http://cvgrf.biz/ynwcuropodmmcgid
unknown
malicious
4880
armsvc.exe
POST
200
44.244.22.128:80
http://cvgrf.biz/eelrtmecr
unknown
malicious
2216
spf.vmp.exe
POST
200
3.229.117.57:80
http://npukfztj.biz/xvpuqcfhifop
unknown
malicious
4880
armsvc.exe
POST
200
3.229.117.57:80
http://npukfztj.biz/vgggeq
unknown
malicious
2216
spf.vmp.exe
POST
200
172.237.146.25:80
http://przvgke.biz/pdtnjava
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4160
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.15:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.15:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4160
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.216.77.15
  • 23.216.77.20
  • 23.216.77.33
  • 23.216.77.12
  • 23.216.77.5
  • 23.216.77.41
  • 23.216.77.42
  • 23.216.77.29
  • 23.216.77.10
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
pywolwnvd.biz
  • 44.244.22.128
malicious
ssbzmoy.biz
  • 50.16.27.236
unknown
cvgrf.biz
  • 44.244.22.128
malicious
npukfztj.biz
  • 3.229.117.57
malicious
przvgke.biz
  • 172.237.146.25
  • 172.233.219.78
  • 172.237.146.8
  • 172.233.219.123
  • 172.237.146.38
  • 172.233.219.49
unknown
zlenh.biz
unknown

Threats

PID
Process
Class
Message
2200
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
2200
svchost.exe
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
2216
spf.vmp.exe
Misc activity
ET INFO Namecheap URL Forward
4880
armsvc.exe
Misc activity
ET INFO Namecheap URL Forward
2216
spf.vmp.exe
Misc activity
ET INFO Namecheap URL Forward
4880
armsvc.exe
Misc activity
ET INFO Namecheap URL Forward
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
spf.exe