Malware analysis Virus.zip Malicious activity | ANY.RUN

Add for printing

File name:	Virus.zip
Full analysis:	https://app.any.run/tasks/237448ed-5d33-4565-84d9-599fa3acf5de
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	November 06, 2023, 23:13:47
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	winwebsec adware brontok trojan
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	3CA9B55E573DCC977BB1167D5A3D6FD0
SHA1:	50AE8AFE81B62BBB170523E6A3E6404F5460C1D7
SHA256:	15016FB331CEF2F2CE4FEDA5CE61B5560E7BE4CA031D0759531C9A639229FB06
SSDEEP:	98304:/dOmsMV7Q1TpfJd5DkBhMwHeqnBHAJ0wOqwHeqnBHAJ0wORXauNeeGhmXc8KH1Zs:mdgaLJLP8PGACaLOxpJQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.100 (8.100)
Skype version 8.100 (8.100)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- WINWEBSEC has been detected (SURICATA)
  - 6F638C122B17ABE917FE28AE7B07D287.exe (PID: 3632)
- Drops the executable file immediately after the start
  - FeeLCoMz CoMMuNiTy.exe (PID: 4052)
  - smss.exe (PID: 3616)
  - 02 el culpable(2)11.exe (PID: 2856)
  - 3_AYTO_PTOING2010_TLALNEPANTLA(1).exe (PID: 2132)
  - 74BE16.EXE (PID: 2516)
- Changes appearance of the Explorer extensions
  - FeeLCoMz CoMMuNiTy.exe (PID: 4052)
  - smss.exe (PID: 3616)
  - winlogon.exe (PID: 3820)
  - services.exe (PID: 1924)
  - lsass.exe (PID: 2260)
  - inetinfo.exe (PID: 2428)
  - sempalong.exe (PID: 3780)
  - smss.exe (PID: 2120)
  - 02 el culpable(2)11.exe (PID: 2856)
  - 3_AYTO_PTOING2010_TLALNEPANTLA(1).exe (PID: 2132)
  - xoaixo.exe (PID: 2988)
- Changes the autorun value in the registry
  - winlogon.exe (PID: 3820)
  - services.exe (PID: 1924)
  - lsass.exe (PID: 2260)
  - inetinfo.exe (PID: 2428)
  - sempalong.exe (PID: 3780)
  - smss.exe (PID: 2120)
  - xoaixo.exe (PID: 2988)
  - smss.exe (PID: 3616)
- Create files in the Startup directory
  - smss.exe (PID: 3616)
- Gets startup folder path (SCRIPT)
  - frchsysguard.exe (PID: 1356)
- Gets path to any of the special folders (SCRIPT)
  - frchsysguard.exe (PID: 1356)
- Accesses system services(Win32_Service) via WMI (SCRIPT)
  - frchsysguard.exe (PID: 1356)
- Reads the value of a key from the registry (SCRIPT)
  - frchsysguard.exe (PID: 1356)
- Registers / Runs the DLL via REGSVR32.EXE
  - frchsysguard.exe (PID: 1356)
- Connects to the CnC server
  - asr64_ldm.exe (PID: 3676)
- BRONTOK has been detected (SURICATA)
  - inetinfo.exe (PID: 2428)
SUSPICIOUS
- Creates executable files that already exist in Windows
  - WinRAR.exe (PID: 3440)
  - FeeLCoMz CoMMuNiTy.exe (PID: 4052)
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 3440)
- The process creates files with name similar to system file names
  - WinRAR.exe (PID: 3440)
  - FeeLCoMz CoMMuNiTy.exe (PID: 4052)
- Connects to the server without a host name
  - 6F638C122B17ABE917FE28AE7B07D287.exe (PID: 3632)
- Starts itself from another location
  - FeeLCoMz CoMMuNiTy.exe (PID: 4052)
  - smss.exe (PID: 3616)
  - sempalong.exe (PID: 3780)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - frchsysguard.exe (PID: 1356)
- Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)
  - frchsysguard.exe (PID: 1356)
- Creates a Folder object (SCRIPT)
  - frchsysguard.exe (PID: 1356)
- Executes WMI query (SCRIPT)
  - frchsysguard.exe (PID: 1356)
- Reads the Internet Settings
  - frchsysguard.exe (PID: 1356)
  - 74BE16.EXE (PID: 2516)
  - 02 el culpable(2)11.exe (PID: 2856)
  - WMIC.exe (PID: 2824)
  - WMIC.exe (PID: 3840)
  - WMIC.exe (PID: 3124)
  - 3_AYTO_PTOING2010_TLALNEPANTLA(1).exe (PID: 2132)
  - WMIC.exe (PID: 3240)
  - WMIC.exe (PID: 3584)
  - inetinfo.exe (PID: 2428)
  - asr64_ldm.exe (PID: 3676)
- Runs shell command (SCRIPT)
  - frchsysguard.exe (PID: 1356)
- Uses WMIC.EXE to obtain BIOS management information
  - 1429952535.exe (PID: 3200)
- Connects to unusual port
  - 02 el culpable(2)11.exe (PID: 2856)
  - 3_AYTO_PTOING2010_TLALNEPANTLA(1).exe (PID: 2132)
- Reads security settings of Internet Explorer
  - asr64_ldm.exe (PID: 3676)
- Checks Windows Trust Settings
  - asr64_ldm.exe (PID: 3676)
- Reads settings of System Certificates
  - asr64_ldm.exe (PID: 3676)
INFO
- Manual execution by a user
  - 6F638C122B17ABE917FE28AE7B07D287.exe (PID: 3632)
  - wmpnscfg.exe (PID: 3828)
  - FeeLCoMz CoMMuNiTy.exe (PID: 4052)
  - frchsysguard.exe (PID: 1356)
  - sempalong.exe (PID: 3780)
  - 74BE16.EXE (PID: 2516)
  - 02 el culpable(2)11.exe (PID: 2856)
  - 3_AYTO_PTOING2010_TLALNEPANTLA(1).exe (PID: 2132)
  - 6F63A59D00099D89004AE618E56C3425.exe (PID: 2940)
  - 1429952535.exe (PID: 2452)
  - 1429952535.exe (PID: 3200)
  - asr64_ldm.exe (PID: 3676)
  - cmd.exe (PID: 1528)
  - DisplaySwitch.exe (PID: 1856)
- Checks supported languages
  - wmpnscfg.exe (PID: 3828)
  - 6F638C122B17ABE917FE28AE7B07D287.exe (PID: 3632)
  - FeeLCoMz CoMMuNiTy.exe (PID: 4052)
  - smss.exe (PID: 3616)
  - winlogon.exe (PID: 3820)
  - frchsysguard.exe (PID: 1356)
  - services.exe (PID: 1924)
  - lsass.exe (PID: 2260)
  - inetinfo.exe (PID: 2428)
  - smss.exe (PID: 2120)
  - sempalong.exe (PID: 3780)
  - 6F63A59D00099D89004AE618E56C3425.exe (PID: 2940)
  - 74BE16.EXE (PID: 2516)
  - 02 el culpable(2)11.exe (PID: 2856)
  - 3_AYTO_PTOING2010_TLALNEPANTLA(1).exe (PID: 2132)
  - xoaixo.exe (PID: 2988)
  - xuazue.exe (PID: 2908)
  - 1429952535.exe (PID: 3200)
  - asr64_ldm.exe (PID: 3676)
  - DisplaySwitch.exe (PID: 1856)
- Reads the computer name
  - 6F638C122B17ABE917FE28AE7B07D287.exe (PID: 3632)
  - wmpnscfg.exe (PID: 3828)
  - FeeLCoMz CoMMuNiTy.exe (PID: 4052)
  - smss.exe (PID: 3616)
  - winlogon.exe (PID: 3820)
  - services.exe (PID: 1924)
  - frchsysguard.exe (PID: 1356)
  - lsass.exe (PID: 2260)
  - inetinfo.exe (PID: 2428)
  - sempalong.exe (PID: 3780)
  - smss.exe (PID: 2120)
  - 6F63A59D00099D89004AE618E56C3425.exe (PID: 2940)
  - 74BE16.EXE (PID: 2516)
  - 02 el culpable(2)11.exe (PID: 2856)
  - 3_AYTO_PTOING2010_TLALNEPANTLA(1).exe (PID: 2132)
  - 1429952535.exe (PID: 3200)
  - xoaixo.exe (PID: 2988)
  - xuazue.exe (PID: 2908)
  - asr64_ldm.exe (PID: 3676)
- Reads the machine GUID from the registry
  - wmpnscfg.exe (PID: 3828)
  - FeeLCoMz CoMMuNiTy.exe (PID: 4052)
  - smss.exe (PID: 3616)
  - winlogon.exe (PID: 3820)
  - services.exe (PID: 1924)
  - frchsysguard.exe (PID: 1356)
  - lsass.exe (PID: 2260)
  - inetinfo.exe (PID: 2428)
  - sempalong.exe (PID: 3780)
  - smss.exe (PID: 2120)
  - 74BE16.EXE (PID: 2516)
  - asr64_ldm.exe (PID: 3676)
  - 1429952535.exe (PID: 3200)
- Create files in a temporary directory
  - FeeLCoMz CoMMuNiTy.exe (PID: 4052)
  - smss.exe (PID: 3616)
  - winlogon.exe (PID: 3820)
  - services.exe (PID: 1924)
  - lsass.exe (PID: 2260)
  - inetinfo.exe (PID: 2428)
  - smss.exe (PID: 2120)
  - sempalong.exe (PID: 3780)
  - 74BE16.EXE (PID: 2516)
  - WMIC.exe (PID: 2824)
  - WMIC.exe (PID: 3124)
  - WMIC.exe (PID: 3584)
  - WMIC.exe (PID: 3840)
  - WMIC.exe (PID: 3240)
- Creates files or folders in the user directory
  - FeeLCoMz CoMMuNiTy.exe (PID: 4052)
  - smss.exe (PID: 3616)
  - asr64_ldm.exe (PID: 3676)
- Reads Environment values
  - frchsysguard.exe (PID: 1356)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 3440)
- Checks proxy server information
  - 74BE16.EXE (PID: 2516)
  - inetinfo.exe (PID: 2428)
  - asr64_ldm.exe (PID: 3676)
- Reads the Internet Settings
  - explorer.exe (PID: 4016)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2008:04:14 05:00:00
ZipCRC:	0x0d7438c2
ZipCompressedSize:	196
ZipUncompressedSize:	707
ZipFileName:	Virus/_default.pif

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

916

at /delete /y

C:\Windows\System32\at.exe

—

smss.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Schedule service command line interface

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\at.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\schedcli.dll

988

explorer.exe

C:\Windows\explorer.exe

—

sempalong.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

1344

at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Brengkolang.com"

C:\Windows\System32\at.exe

—

smss.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Schedule service command line interface

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\at.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\schedcli.dll

1356

"C:\Users\admin\Desktop\Virus\hanvhm\frchsysguard.exe"

C:\Users\admin\Desktop\Virus\hanvhm\frchsysguard.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\virus\hanvhm\frchsysguard.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll

1528

C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\Virus\DelF90.bat" "

C:\Windows\System32\cmd.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1840

svchost.exe

C:\Users\admin\Desktop\Virus\svchost.exe

—

DisplaySwitch.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Microsoft Word Document

Exit code:

Version:

1.01.0001

Modules

Images
c:\users\admin\desktop\virus\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll

1856

"C:\Users\admin\Desktop\Virus\DisplaySwitch.exe"

C:\Users\admin\Desktop\Virus\DisplaySwitch.exe

—

explorer.exe

User:

admin

Company:

Корпорация Майкрософт

Integrity Level:

MEDIUM

Description:

Конвертор групп диспетчера программ Windows

Exit code:

Version:

5.1.2600.5512 (xpsp.080413-2105)

Modules

Images
c:\users\admin\desktop\virus\displayswitch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

1924

C:\Users\admin\AppData\Local\services.exe

smss.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\services.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll

2120

C:\Users\admin\AppData\Local\smss.exe

sempalong.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\smss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll

2132

"C:\Users\admin\Desktop\Virus\3_AYTO_PTOING2010_TLALNEPANTLA(1).exe"

C:\Users\admin\Desktop\Virus\3_AYTO_PTOING2010_TLALNEPANTLA(1).exe

explorer.exe

User:

admin

Company:

Thamyras everybody

Integrity Level:

MEDIUM

Description:

Thamyras everybody

Exit code:

Version:

2.48

Modules

Images
c:\users\admin\desktop\virus\3_ayto_ptoing2010_tlalnepantla(1).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll

Add for printing

Total events

13 981

Read events

13 752

Write events

226

Delete events

Modification events


(PID) Process:	(3440) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3440) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:	(3440) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:	(3440) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\phacker.zip
(PID) Process:	(3440) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3440) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3440) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3440) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3440) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:	(3440) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General
Operation:	write	Name:	LastFolder
Value: C:\Users\admin\Desktop

Add for printing

Executable files

110

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3440	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3440.43087\Virus\6F638C122B17ABE917FE28AE7B07D287\6F638C122B17ABE917FE28AE7B07D287		binary
		MD5:8819E6E359C933C6D2C9BD2A5ECFCEE9	SHA256:B5032B298FE9052B9738F06757729EE17D9DE3F9C7CDBD431C2BB1D6D96F56DB
3440	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3440.43087\Virus\6F63A59D00099D89004AE618E56C3425.exe		executable
		MD5:D8103D27E795B9753DF3239AB804B03E	SHA256:4315838DBAD913ADD8E05A1044CFB85D72E472FD65664F198EB841B0F831AC25
3440	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3440.43087\Virus\6F638C122B17ABE917FE28AE7B07D287\6F638C122B17ABE917FE28AE7B07D287.exe		executable
		MD5:D8103D27E795B9753DF3239AB804B03E	SHA256:4315838DBAD913ADD8E05A1044CFB85D72E472FD65664F198EB841B0F831AC25
3440	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3440.43087\Virus\3_AYTO_PTOING2010_TLALNEPANTLA(1).exe		executable
		MD5:E8CF0A14D643666347E96A3E0502E6F3	SHA256:E58D316420D48939FCEEB6C18FE6309F9860F01ED266726805ED8F28AE5688C9
3440	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3440.43087\Virus\74BE16.EXE		executable
		MD5:65A8F67B004575C3B3D153860BADB665	SHA256:1019A6D31B4BF33A3C93A282D42B9CD196D8F4BF77526587EA3392D35B849981
3440	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3440.43087\Virus\1429952535.exe		executable
		MD5:17D34AB78A0C4146046C72FA59F9245F	SHA256:AEA5837BFFCB59FD382D14F4C4A6E96CF8099A2650FDCF709E7CB9735A0275DC
3440	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3440.43087\Virus\AAP76E5.tmp.cmd		text
		MD5:B362798501E0B4332ADF19A4995AE1FA	SHA256:D1CDBDBF0BBBD85FCC81772E9C306D48E05A2E705C52B4A3C83CD91BC8AC5BFB
3440	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3440.43087\Virus\02 el culpable(2)11.exe		executable
		MD5:AB2C5D3C4BD6615301A767B9FE9046DF	SHA256:0FD6A7B40D3D324BF84827EE1BE8F336D339A9778AAE4A900B565B34AD31719C
3440	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3440.43087\Virus\_default.pif		binary
		MD5:B317B33694BAC49D492DD3F23E374899	SHA256:75CAF5ACA5B155AFBD4CE7EFFE825FE1BF4767A0AFEE64A8D726C5E9694FA33A
3440	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3440.43087\Virus\about.Brontok.A.html		html
		MD5:50D9697937D20E15B585DCCDC2A188B3	SHA256:CD430DD5277A8A47860A72D4B00458E9986C63506C1A0216020B5ABD5E6516E2

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3676	asr64_ldm.exe	GET	302	52.86.6.113:80	http://Beinahe.com/readdatagateway.php?type=stats&affid=139&subid=1&version=3.0&adwareok	unknown	—	—	unknown
2428	inetinfo.exe	GET	—	34.225.127.72:80	http://www.geocities.com/sbllro2/IN12VLMLSDSDW.txt	unknown	—	—	unknown
3632	6F638C122B17ABE917FE28AE7B07D287.exe	GET	404	112.121.178.189:80	http://112.121.178.189/api/urls/?ts=e711e20e&affid=46200	unknown	html	146 b	unknown
3676	asr64_ldm.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D	unknown	binary	1.47 Kb	unknown
3676	asr64_ldm.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4768b7558eb38fcd	unknown	compressed	4.66 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2588	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
3632	6F638C122B17ABE917FE28AE7B07D287.exe	112.121.178.189:80	—	Netsec Limited	HK	unknown
2516	74BE16.EXE	193.104.27.98:80	—	MTS PJSC	RU	unknown
2856	02 el culpable(2)11.exe	77.247.179.86:8003	ns1.timecheckings.com	NForce Entertainment B.V.	NL	unknown
2132	3_AYTO_PTOING2010_TLALNEPANTLA(1).exe	77.247.179.86:8003	ns1.timecheckings.com	NForce Entertainment B.V.	NL	unknown
2428	inetinfo.exe	34.225.127.72:80	www.geocities.com	AMAZON-AES	US	unknown
3676	asr64_ldm.exe	52.86.6.113:80	beinahe.com	AMAZON-AES	US	unknown

DNS requests

Domain	IP	Reputation
newsoftspot.com	—	unknown
ns1.timecheckings.com	77.247.179.86	malicious
www.geocities.com	34.225.127.72 106.10.248.150 54.161.105.65 13.50.184.192 18.136.37.69 34.213.101.254 44.228.206.170 13.49.212.207 13.251.69.97 74.6.136.150 98.136.103.23 212.82.100.150 124.108.115.100	malicious
beinahe.com	52.86.6.113 3.94.41.167	unknown
www.hugedomains.com	104.26.7.37 104.26.6.37 172.67.70.191	whitelisted
ctldl.windowsupdate.com	93.184.221.240	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted

Threats

PID	Process	Class	Message
3632	6F638C122B17ABE917FE28AE7B07D287.exe	Unknown Traffic	ET HUNTING Suspicious Empty User-Agent
3676	asr64_ldm.exe	A Network Trojan was detected	ET MALWARE Fake AV GET
3676	asr64_ldm.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP RogueAntiSpyware.AntiVirusPro Checkin
3676	asr64_ldm.exe	A Network Trojan was detected	ET USER_AGENTS Long Fake wget 3.0 User-Agent Detected
3676	asr64_ldm.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP Fake Wget User-Agent (wget 3.0) - Likely Hostile
2428	inetinfo.exe	A Network Trojan was detected	ET MALWARE Brontok User-Agent Detected (Brontok.A3 Browser)

1 ETPRO signatures available at the full report

Add for printing

Process	Message
asr64_ldm.exe	C:\Users\admin\AppData\Roaming\Dr. Guard\drguard.exe
asr64_ldm.exe	C:\Program Files\Dr. Guard\drguard.exe

General Info

Virus.zip

3CA9B55E573DCC977BB1167D5A3D6FD0

50AE8AFE81B62BBB170523E6A3E6404F5460C1D7

15016FB331CEF2F2CE4FEDA5CE61B5560E7BE4CA031D0759531C9A639229FB06

98304:/dOmsMV7Q1TpfJd5DkBhMwHeqnBHAJ0wOqwHeqnBHAJ0wORXauNeeGhmXc8KH1Zs:mdgaLJLP8PGACaLOxpJQ

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

WINWEBSEC has been detected (SURICATA)

Drops the executable file immediately after the start

Changes appearance of the Explorer extensions

Changes the autorun value in the registry

Create files in the Startup directory

Gets startup folder path (SCRIPT)

Gets path to any of the special folders (SCRIPT)

Accesses system services(Win32_Service) via WMI (SCRIPT)

Reads the value of a key from the registry (SCRIPT)

Registers / Runs the DLL via REGSVR32.EXE

Connects to the CnC server

BRONTOK has been detected (SURICATA)

SUSPICIOUS

Creates executable files that already exist in Windows

Process drops legitimate windows executable

The process creates files with name similar to system file names

Connects to the server without a host name

Starts itself from another location

Creates FileSystem object to access computer's file system (SCRIPT)

Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

Creates a Folder object (SCRIPT)

Executes WMI query (SCRIPT)

Reads the Internet Settings

Runs shell command (SCRIPT)

Uses WMIC.EXE to obtain BIOS management information

Connects to unusual port

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Reads settings of System Certificates

INFO

Manual execution by a user

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Create files in a temporary directory

Creates files or folders in the user directory

Reads Environment values

Drops the executable file immediately after the start

Checks proxy server information

Reads the Internet Settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information