Malware analysis Photo.scr Malicious activity | ANY.RUN

Add for printing

File name:	Photo.scr
Full analysis:	https://app.any.run/tasks/bcb2161e-cc38-474f-9c4d-9a1787360b7c
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Malware Trends Tracker >>>
Analysis date:	January 16, 2025, 12:00:07
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	bittorrent mozi botnet python ftp pyinstaller upx xmrig
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	9F3069E77D062DA63B7BA5C1F35E9937
SHA1:	1F4D13FDD0BF0B0251B31B0AFA2A9C2FB0B0140E
SHA256:	EBCDF536447CBA219A13756C00C97B4ED5FEA47F2CBF2283EA86E80216D3822E
SSDEEP:	98304:dqMqN+w41tP2IHHAHuw4lUSlulY+fWEoOB/xsmCDGID95NM+x48rzPH9ATnVlYLW:seuGME+pGoSYe4k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- XMRIG has been detected (YARA)
  - xmrig.exe (PID: 1380)
- BITTORRENT has been detected (SURICATA)
  - HelpPane.exe (PID: 6216)
- MOZI has been detected (SURICATA)
  - HelpPane.exe (PID: 6216)
SUSPICIOUS
- Process drops python dynamic module
  - Photo.scr.exe (PID: 6392)
  - Photo.scr.exe (PID: 6664)
  - HelpPane.exe (PID: 6968)
  - HelpPane.exe (PID: 7120)
  - HelpPane.exe (PID: 3736)
- Process drops legitimate windows executable
  - Photo.scr.exe (PID: 6664)
  - Photo.scr.exe (PID: 6392)
  - HelpPane.exe (PID: 6968)
  - HelpPane.exe (PID: 7120)
  - HelpPane.exe (PID: 3736)
- Executable content was dropped or overwritten
  - Photo.scr.exe (PID: 6664)
  - Photo.scr.exe (PID: 6392)
  - cmd.exe (PID: 6836)
  - HelpPane.exe (PID: 6968)
  - HelpPane.exe (PID: 7120)
  - HelpPane.exe (PID: 3736)
  - cmd.exe (PID: 6516)
- Application launched itself
  - Photo.scr.exe (PID: 6664)
  - HelpPane.exe (PID: 6968)
  - HelpPane.exe (PID: 3736)
  - HelpPane.exe (PID: 7120)
  - Photo.scr.exe (PID: 6464)
  - Photo.scr.exe (PID: 6392)
- The process drops C-runtime libraries
  - Photo.scr.exe (PID: 6392)
  - HelpPane.exe (PID: 6968)
  - HelpPane.exe (PID: 7120)
  - HelpPane.exe (PID: 3736)
  - Photo.scr.exe (PID: 6664)
- Loads Python modules
  - Photo.scr.exe (PID: 6816)
  - HelpPane.exe (PID: 7020)
  - HelpPane.exe (PID: 7152)
  - HelpPane.exe (PID: 6216)
- Starts CMD.EXE for commands execution
  - Photo.scr.exe (PID: 6816)
  - HelpPane.exe (PID: 6216)
- The executable file from the user directory is run by the CMD process
  - HelpPane.exe (PID: 6968)
  - HelpPane.exe (PID: 7120)
- Executes as Windows Service
  - HelpPane.exe (PID: 3736)
  - spoolsv.exe (PID: 7024)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 6292)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - HelpPane.exe (PID: 6216)
- Potential Corporate Privacy Violation
  - HelpPane.exe (PID: 6216)
- Contacting a server suspected of hosting an CnC
  - HelpPane.exe (PID: 6216)
- Connects to unusual port
  - HelpPane.exe (PID: 6216)
- Connects to FTP
  - HelpPane.exe (PID: 6216)
INFO
- Checks supported languages
  - Photo.scr.exe (PID: 6392)
  - Photo.scr.exe (PID: 6816)
  - Photo.scr.exe (PID: 6664)
  - HelpPane.exe (PID: 6968)
  - HelpPane.exe (PID: 7020)
  - HelpPane.exe (PID: 7120)
  - HelpPane.exe (PID: 3736)
  - HelpPane.exe (PID: 7152)
  - xmrig.exe (PID: 1380)
  - HelpPane.exe (PID: 6216)
  - Photo.scr.exe (PID: 6464)
- The sample compiled with english language support
  - Photo.scr.exe (PID: 6664)
  - HelpPane.exe (PID: 6968)
  - HelpPane.exe (PID: 7120)
  - HelpPane.exe (PID: 3736)
  - Photo.scr.exe (PID: 6392)
- Reads the machine GUID from the registry
  - Photo.scr.exe (PID: 6816)
  - HelpPane.exe (PID: 7020)
  - HelpPane.exe (PID: 7152)
  - HelpPane.exe (PID: 6216)
- Create files in a temporary directory
  - Photo.scr.exe (PID: 6392)
  - HelpPane.exe (PID: 6968)
  - HelpPane.exe (PID: 7120)
  - Photo.scr.exe (PID: 6664)
- Reads the computer name
  - Photo.scr.exe (PID: 6816)
  - HelpPane.exe (PID: 7020)
  - HelpPane.exe (PID: 7152)
  - xmrig.exe (PID: 1380)
  - HelpPane.exe (PID: 6216)
- PyInstaller has been detected (YARA)
  - HelpPane.exe (PID: 6216)
  - HelpPane.exe (PID: 3736)
- UPX packer has been detected
  - HelpPane.exe (PID: 6216)
  - xmrig.exe (PID: 1380)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:09:04 14:43:33+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	125952
InitializedDataSize:	122368
UninitializedDataSize:	-
EntryPoint:	0x79d3
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

158

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1380

C:\WINDOWS\TEMP\xmrig.exe

C:\Windows\Temp\xmrig.exe

HelpPane.exe

User:

SYSTEM

Company:

www.xmrig.com

Integrity Level:

SYSTEM

Description:

XMRig CPU miner

Version:

2.14.1

Modules

Images
c:\windows\temp\xmrig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

3188

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

xmrig.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3508

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3736

"C:\Users\admin\HelpPane.exe"

C:\Users\admin\HelpPane.exe

services.exe

User:

SYSTEM

Integrity Level:

SYSTEM

Modules

Images
c:\users\admin\helppane.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

4076

netsh firewall add allowedprogram C:\Users\admin\HelpPane.exe "MyApp" ENABLE

C:\Windows\SysWOW64\netsh.exe

—

HelpPane.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

5564

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6152

C:\WINDOWS\system32\cmd.exe /c copy /y C:\WINDOWS\TEMP\_MEI37~1\\config.json C:\WINDOWS\TEMP\config.json

C:\Windows\SysWOW64\cmd.exe

—

HelpPane.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

6216

"C:\Users\admin\HelpPane.exe"

C:\Users\admin\HelpPane.exe

HelpPane.exe

User:

SYSTEM

Integrity Level:

SYSTEM

Modules

Images
c:\users\admin\helppane.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

6292

C:\WINDOWS\system32\cmd.exe /c taskkill /pid 2652 /f

C:\Windows\SysWOW64\cmd.exe

—

HelpPane.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

6372

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

3 355

Read events

3 275

Write events

Delete events

Modification events


(PID) Process:	(7024) spoolsv.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print
Operation:	write	Name:	BeepEnabled
Value: 0
(PID) Process:	(7024) spoolsv.exe	Key:	HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices
Operation:	write	Name:	OneNote (Desktop)
Value: winspool,nul:
(PID) Process:	(7024) spoolsv.exe	Key:	HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts
Operation:	write	Name:	OneNote (Desktop)
Value: winspool,nul:,15,45
(PID) Process:	(7024) spoolsv.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
Operation:	write	Name:	Ne00:
Value:
(PID) Process:	(7024) spoolsv.exe	Key:	HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices
Operation:	write	Name:	Microsoft XPS Document Writer
Value: winspool,Ne00:
(PID) Process:	(7024) spoolsv.exe	Key:	HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts
Operation:	write	Name:	Microsoft XPS Document Writer
Value: winspool,Ne00:,15,45
(PID) Process:	(7024) spoolsv.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
Operation:	write	Name:	Ne01:
Value:
(PID) Process:	(7024) spoolsv.exe	Key:	HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices
Operation:	write	Name:	Microsoft Print to PDF
Value: winspool,Ne01:
(PID) Process:	(7024) spoolsv.exe	Key:	HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts
Operation:	write	Name:	Microsoft Print to PDF
Value: winspool,Ne01:,15,45
(PID) Process:	(7024) spoolsv.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
Operation:	write	Name:	Ne02:
Value:

Add for printing

Executable files

127

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6392	Photo.scr.exe	C:\Users\admin\AppData\Local\Temp\_MEI63922\_socket.pyd		executable
		MD5:BE47363992C7DD90019276D35FA8DA76	SHA256:BE10254B111713BEF20A13D561DE61CA3C74A34C64DDC5B10825C64AB2C46734
6392	Photo.scr.exe	C:\Users\admin\AppData\Local\Temp\_MEI63922\_win32sysloader.pyd		executable
		MD5:B4A567D80CCC08FB1C7FBB765847AFDA	SHA256:DBB0F9C499A710BBC8BCDE4ECC3577A6C9548262D6CE4434ED5A0708CBC787DD
6392	Photo.scr.exe	C:\Users\admin\AppData\Local\Temp\_MEI63922\Microsoft.VC90.CRT.manifest		xml
		MD5:BFB93876892CCA8E2AD0021585C34C8B	SHA256:0D060ED7C25159B7B75F16D449963BFD639C15B3C5280BC7897403268C2B9F35
6392	Photo.scr.exe	C:\Users\admin\AppData\Local\Temp\_MEI63922\msvcp90.dll		executable
		MD5:92EA2DB0E788894C43753C550216A886	SHA256:9694756F43B20ABC50F95646C54E9E36CD6EDF8EED3DB846064567399F4E7566
6392	Photo.scr.exe	C:\Users\admin\AppData\Local\Temp\_MEI63922\_hashlib.pyd		executable
		MD5:EE134421FBABEB565E4F3CA721331C2E	SHA256:7863E1BEDFE1FFC720B67B2EB7B3491DB9D2B8E56B5574E6A40FF90336B8DAFA
6392	Photo.scr.exe	C:\Users\admin\AppData\Local\Temp\_MEI63922\bz2.pyd		executable
		MD5:C9C00BC854A39E66B27787D188F9E8D7	SHA256:29520DF660A5BBD704B9106A6650A66E4F5766B904D05F97146668D41DBF5839
6392	Photo.scr.exe	C:\Users\admin\AppData\Local\Temp\_MEI63922\ftpcrack.exe.manifest		xml
		MD5:B5DEA49B86C5BB5D9CD8D64A09F70065	SHA256:78B1160F6ADAB34D144AD19A0F4B83F83453F1E18460BBDFBE17AD354B62AF7D
6392	Photo.scr.exe	C:\Users\admin\AppData\Local\Temp\_MEI63922\_ctypes.pyd		executable
		MD5:6CB8B560EFBC381651D2045F1571D7C8	SHA256:6456FEA123E04BCEC8A8EED26160E1DF5482E69D187D3E1A0C428995472AC134
6392	Photo.scr.exe	C:\Users\admin\AppData\Local\Temp\_MEI63922\Crypto.Cipher._AES.pyd		executable
		MD5:371397E80A55D432DA47311B8EF25317	SHA256:C1A900615C9500C46B9602C30C53F299290B03632208EF1152AF8830AB73AD17
6392	Photo.scr.exe	C:\Users\admin\AppData\Local\Temp\_MEI63922\msvcr90.dll		executable
		MD5:199D34B03C7D0EB804A6D9869184B8D4	SHA256:DF86421E354F817607F2BAFC9188569242FCF9DD564B28F3E2915C86A0BA1F54

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

13 267

DNS requests

Threats

453

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2144	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2144	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6840	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6840	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6216	HelpPane.exe	GET	—	34.54.112.236:21	http://34.54.112.236:21/	unknown	—	—	unknown
6216	HelpPane.exe	GET	—	34.54.112.236:2121	http://34.54.112.236:2121/	unknown	—	—	unknown
6728	backgroundTaskHost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.23.227.208:443	—	Ooredoo Q.S.C.	QA	unknown
4712	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2144	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2144	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1076	svchost.exe	2.23.242.9:443	go.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5064	SearchApp.exe	2.23.227.208:443	—	Ooredoo Q.S.C.	QA	unknown
1176	svchost.exe	20.190.160.14:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
google.com	142.250.181.238	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
go.microsoft.com	2.23.242.9	whitelisted
login.live.com	20.190.160.14 40.126.32.136 40.126.32.134 40.126.32.140 40.126.32.76 20.190.160.22 40.126.32.133 40.126.32.72	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
dht.transmissionbt.com	212.129.33.59 87.98.162.88	unknown
xmr.crypto-pool.fr	—	unknown
router.bittorrent.com	67.215.246.10	whitelisted

Threats

PID	Process	Class	Message
6216	HelpPane.exe	Misc activity	INFO [ANY.RUN] P2P BitTorrent Protocol
6216	HelpPane.exe	Malware Command and Control Activity Detected	ET MALWARE Mozi Botnet DHT Config Sent
6216	HelpPane.exe	Malware Command and Control Activity Detected	ET MALWARE Mozi Botnet DHT Config Sent
6216	HelpPane.exe	Malware Command and Control Activity Detected	ET MALWARE Mozi Botnet DHT Config Sent
6216	HelpPane.exe	Malware Command and Control Activity Detected	ET MALWARE Mozi Botnet DHT Config Sent
6216	HelpPane.exe	Malware Command and Control Activity Detected	ET MALWARE Mozi Botnet DHT Config Sent
6216	HelpPane.exe	Malware Command and Control Activity Detected	ET MALWARE Mozi Botnet DHT Config Sent
6216	HelpPane.exe	Malware Command and Control Activity Detected	ET MALWARE Mozi Botnet DHT Config Sent
6216	HelpPane.exe	Malware Command and Control Activity Detected	ET MALWARE Mozi Botnet DHT Config Sent
6216	HelpPane.exe	Malware Command and Control Activity Detected	ET MALWARE Mozi Botnet DHT Config Sent

Add for printing

No debug info

General Info

Photo.scr

9F3069E77D062DA63B7BA5C1F35E9937

1F4D13FDD0BF0B0251B31B0AFA2A9C2FB0B0140E

EBCDF536447CBA219A13756C00C97B4ED5FEA47F2CBF2283EA86E80216D3822E

98304:dqMqN+w41tP2IHHAHuw4lUSlulY+fWEoOB/xsmCDGID95NM+x48rzPH9ATnVlYLW:seuGME+pGoSYe4k

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

XMRIG has been detected (YARA)

BITTORRENT has been detected (SURICATA)

MOZI has been detected (SURICATA)

SUSPICIOUS

Process drops python dynamic module

Process drops legitimate windows executable

Executable content was dropped or overwritten

Application launched itself

The process drops C-runtime libraries

Loads Python modules

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Executes as Windows Service

Uses TASKKILL.EXE to kill process

Uses NETSH.EXE to add a firewall rule or allowed programs

Potential Corporate Privacy Violation

Contacting a server suspected of hosting an CnC

Connects to unusual port

Connects to FTP

INFO

Checks supported languages

The sample compiled with english language support

Reads the machine GUID from the registry

Create files in a temporary directory

Reads the computer name

PyInstaller has been detected (YARA)

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings