File name:

c0YPfe7h.exe

Full analysis: https://app.any.run/tasks/451a14aa-654c-4ee6-9b57-8e2d6f319695
Verdict: Malicious activity
Analysis date: December 19, 2019, 06:56:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

D4DD051EDB8785EB862D0CEF31BA11B6

SHA1:

830561718EBE06D23435D43EB4F92F16CEE7B1E2

SHA256:

C62D546D650062A5E87ED94DBCFC8319110F30F51ABDFC6DBB6190EC7900AF07

SSDEEP:

49152:eKpwwnDJmizcfNiHJiJ2cVbjhA1Tzgpu2xPqum6PKmErwVYd92WXmeK24O:e4rDTgCYIcVbjaVzEucCV6MroqHX4O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Manual execution by user

      • opera.exe (PID: 2144)

    • Creates files in the user directory

      • opera.exe (PID: 2144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:01 09:03:43+01:00
PEType: PE32
LinkerVersion: 11
CodeSize: 1473536
InitializedDataSize: 8704
UninitializedDataSize: -
EntryPoint: 0x5d2000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 8.1.0.0
ProductVersionNumber: 8.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription: c0YPfe7h
FileVersion: 8.1.0.0
InternalName: c0YPfe7h.exe
LegalCopyright: Copyright © 2019 by ExileD
OriginalFileName: c0YPfe7h.exe
ProductName: c0YPfe7h
ProductVersion: 8.1.0.0
AssemblyVersion: 8.1.0.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 01-Dec-2019 08:03:43

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x867A
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 01-Dec-2019 08:03:43
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
0x00002000
0x00168000
0x00168000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99957
.rsrc
0x0016A000
0x00001F80
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.38113
.idata
0x0016C000
0x00002000
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.01199
0x0016E000
0x002B4000
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.264678
sdqjeqjp
0x00422000
0x001B0000
0x001AE600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.95483
vupbgwhk
0x005D2000
0x00002000
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.47983

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.04224
2850
UNKNOWN
UNKNOWN
RT_MANIFEST
2
6.52152
3240
UNKNOWN
UNKNOWN
RT_ICON
3
6.39767
872
UNKNOWN
UNKNOWN
RT_ICON
32512
2.44589
34
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

kernel32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start c0ypfe7h.exe opera.exe

Process information

PID
CMD
Path
Indicators
Parent process
2144"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
Modules
Images
c:\program files\opera\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
2772"C:\Users\admin\AppData\Local\Temp\c0YPfe7h.exe" C:\Users\admin\AppData\Local\Temp\c0YPfe7h.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
c0YPfe7h
Exit code:
0
Version:
8.1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\c0ypfe7h.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
Total events
232
Read events
162
Write events
70
Delete events
0

Modification events

(PID) Process:(2772) c0YPfe7h.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\c0YPfe7h_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2772) c0YPfe7h.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\c0YPfe7h_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2772) c0YPfe7h.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\c0YPfe7h_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2772) c0YPfe7h.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\c0YPfe7h_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2772) c0YPfe7h.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\c0YPfe7h_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2772) c0YPfe7h.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\c0YPfe7h_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2772) c0YPfe7h.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\c0YPfe7h_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2772) c0YPfe7h.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\c0YPfe7h_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2772) c0YPfe7h.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\c0YPfe7h_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2772) c0YPfe7h.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\c0YPfe7h_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
0
Suspicious files
25
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
2144opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr3CB1.tmp
MD5:
SHA256:
2144opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr3CE0.tmp
MD5:
SHA256:
2144opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp
MD5:
SHA256:
2144opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JYN97BB746C5RI4KJGXI.temp
MD5:
SHA256:
2144opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr7B04.tmp
MD5:
SHA256:
2144opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr8AF3.tmp
MD5:
SHA256:
2144opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.datbinary
MD5:
SHA256:
2144opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.initext
MD5:
SHA256:
2144opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:
SHA256:
2144opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF3a4869.TMPbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
39
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2772
c0YPfe7h.exe
GET
200
103.130.216.100:80
http://exiledros.net/takecode.php?code=1
unknown
text
39 b
malicious
2144
opera.exe
GET
200
172.217.22.14:80
http://clients1.google.com/complete/search?q=youp&client=opera-suggest-omnibox&hl=de
US
text
81 b
whitelisted
2144
opera.exe
GET
301
66.254.114.79:80
http://youporn.com/
US
unknown
2144
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
564 b
whitelisted
2772
c0YPfe7h.exe
GET
200
103.130.216.100:80
http://exiledros.net/cfph.php
unknown
text
4 b
malicious
2144
opera.exe
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAcDTU8tPXiOuD2PeraJLsM%3D
US
der
471 b
whitelisted
2144
opera.exe
GET
200
172.217.22.14:80
http://clients1.google.com/complete/search?q=youporn&client=opera-suggest-omnibox&hl=de
US
text
34 b
whitelisted
2144
opera.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEGP1j20Hi64nAwAAAABmU3w%3D
US
der
471 b
whitelisted
2772
c0YPfe7h.exe
GET
200
103.130.216.100:80
http://exiledros.net/GpRk9lnkYDU7ROyE.php
unknown
text
6 b
malicious
2144
opera.exe
GET
400
185.26.182.112:80
http://sitecheck2.opera.com/?host=youporn.com&hdn=6JB/XY9oG87AAvUd%2BNi2jQ==
unknown
html
150 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2144
opera.exe
66.254.122.104:443
fs.ypncdn.com
Reflected Networks, Inc.
US
suspicious
2144
opera.exe
172.217.16.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2772
c0YPfe7h.exe
103.130.216.100:80
exiledros.net
unknown
2144
opera.exe
185.26.182.94:443
certs.opera.com
Opera Software AS
whitelisted
2144
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2144
opera.exe
172.217.22.14:80
clients1.google.com
Google Inc.
US
whitelisted
2144
opera.exe
66.254.114.79:80
youporn.com
Reflected Networks, Inc.
US
unknown
2144
opera.exe
172.217.16.174:443
www.google-analytics.com
Google Inc.
US
whitelisted
2144
opera.exe
205.185.208.85:443
media.trafficjunky.net
Highwinds Network Group, Inc.
US
unknown
2144
opera.exe
192.35.177.64:80
crl.identrust.com
IdenTrust
US
malicious

DNS requests

Domain
IP
Reputation
exiledros.net
  • 103.130.216.100
malicious
certs.opera.com
  • 185.26.182.94
  • 185.26.182.93
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
clients1.google.com
  • 172.217.22.14
whitelisted
youporn.com
  • 66.254.114.79
unknown
sitecheck2.opera.com
  • 185.26.182.112
  • 185.26.182.93
  • 185.26.182.94
  • 185.26.182.111
whitelisted
ocsp.digicert.com
  • 72.21.91.29
whitelisted
www.youporn.com
  • 66.254.114.79
unknown
fs.ypncdn.com
  • 66.254.122.104
  • 66.254.122.100
  • 66.254.122.102
suspicious
www.google-analytics.com
  • 172.217.16.174
whitelisted

Threats

No threats detected
Process
Message
c0YPfe7h.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
c0YPfe7h.exe