General Info

File name

SKBM Purchase Order ZE5 471144308.pdf.gz

Full analysis
https://app.any.run/tasks/272a822d-cb77-471c-acfc-80e8b39393c9
Verdict
Malicious activity
Analysis date
9/11/2019, 10:31:46
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

lokibot

Indicators:

MIME:
application/gzip
File info:
gzip compressed data, was "SKBM Purchase Order ZE5 471144308,pdf.exe", last modified: Wed Sep 11 00:34:54 2019, from FAT filesystem (MS-DOS, OS/2, NT)
MD5

6d0109016dae28a4af99822dfbb5929c

SHA1

73113c0c2640fbc2c0e57782a7b606d711ba2abe

SHA256

1dbc4f71ca4782ba2c4b24eea654d64922a785428c1a8c6c49e5000dc251b0b8

SSDEEP

6144:eg9QlABGR8LLWADjQKR9JFO2DYgReckQrvChY4cviflSWZbfOf5szgSuuGqtb:eMQlAB4Kfjrlo2MgRecHrvCtcKfEWZGs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • SKBM Purchase Order ZE5 471144308,pdf.exe (PID: 2748)
Runs app for hidden code execution
  • SKBM Purchase Order ZE5 471144308,pdf.exe (PID: 2748)
Loads dropped or rewritten executable
  • SKBM Purchase Order ZE5 471144308,pdf.exe (PID: 2748)
LokiBot was detected
  • cmd.exe (PID: 3688)
Connects to CnC server
  • cmd.exe (PID: 3688)
Known privilege escalation attack
  • DllHost.exe (PID: 1812)
Actions looks like stealing of personal data
  • cmd.exe (PID: 3688)
Starts CMD.EXE for commands execution
  • SKBM Purchase Order ZE5 471144308,pdf.exe (PID: 2748)
  • DllHost.exe (PID: 1812)
Executable content was dropped or overwritten
  • cmd.exe (PID: 3688)
  • SKBM Purchase Order ZE5 471144308,pdf.exe (PID: 2748)
  • WinRAR.exe (PID: 2776)
Creates files in the user directory
  • SKBM Purchase Order ZE5 471144308,pdf.exe (PID: 2748)
  • cmd.exe (PID: 3688)
Executed via COM
  • DllHost.exe (PID: 1812)
Loads DLL from Mozilla Firefox
  • cmd.exe (PID: 3688)
Uses REG.EXE to modify Windows registry
  • cmd.exe (PID: 2104)
Connects to server without host name
  • cmd.exe (PID: 3688)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.z/gz/gzip
|   GZipped data (100%)
EXIF
ZIP
Compression:
Deflated
Flags:
FileName
ModifyDate:
2019:09:11 02:34:54+02:00
ExtraFlags:
(none)
OperatingSystem:
FAT filesystem (MS-DOS, OS/2, NT/Win32)
ArchivedFileName:
SKBM Purchase Order ZE5 471144308,pdf.exe

Screenshots

Processes

Total processes
40
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

+
drop and start start winrar.exe skbm purchase order ze5 471144308,pdf.exe #LOKIBOT cmd.exe CMSTPLUA no specs cmd.exe no specs reg.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2776
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SKBM Purchase Order ZE5 471144308.pdf.gz.z"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\rar$exa2776.23049\skbm purchase order ze5 471144308,pdf.exe

PID
2748
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa2776.23049\SKBM Purchase Order ZE5 471144308,pdf.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa2776.23049\SKBM Purchase Order ZE5 471144308,pdf.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa2776.23049\skbm purchase order ze5 471144308,pdf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\nsaa7f9.tmp\system.dll
c:\users\admin\appdata\local\temp\sump.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ntdll.dll

PID
3688
CMD
"C:\Windows\system32\cmd.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
Parent process
SKBM Purchase Order ZE5 471144308,pdf.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\qmgrprxy.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\comsvcs.dll
c:\windows\system32\atl.dll
c:\windows\system32\cmlua.dll
c:\windows\system32\cmutil.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\nss3.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\vaultcli.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\userenv.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll

PID
1812
CMD
C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
Path
C:\Windows\system32\DllHost.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cmstplua.dll
c:\windows\system32\cmutil.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cmlua.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll

PID
2104
CMD
"C:\Windows\system32\cmd.exe" /c "reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\admin\AppData\Roaming\Adobe\Sonar" /t REG_DWORD /d 0"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
DllHost.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3640
CMD
reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\admin\AppData\Roaming\Adobe\Sonar" /t REG_DWORD /d 0
Path
C:\Windows\system32\reg.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
22233
Read events
1183
Write events
21050
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2776
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2776
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2776
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2776
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\SKBM Purchase Order ZE5 471144308.pdf.gz.z
2776
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2776
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2776
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2776
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2776
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2776
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
write
HKEY_CURRENT_USER\Software\HydraProductions\domineesforefeel
FinishRead
No
3688
cmd.exe
write
HKEY_CURRENT_USER\���������������������Ь���������Й��я��
F63AAA
%APPDATA%\F63AAA\A71D80.exe
1812
DllHost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1812
DllHost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3640
reg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
C:\Users\admin\AppData\Roaming\Adobe\Sonar
0

Files activity

Executable files
10
Suspicious files
3
Text files
11
Unknown types
12

Dropped files

PID
Process
Filename
Type
2776
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2776.23049\SKBM Purchase Order ZE5 471144308,pdf.exe
executable
MD5: c31acd5e24dbd11866e7ffed59e5a91c
SHA256: e9ecea88be2206882f3f040e1390f20c5f5d004a57bedda43ac77722a678fa64
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\sump.dll
executable
MD5: c86d2663782ef0e996b18b680d1a7e4d
SHA256: 2670819d4efcf016c496e6fdd926514df0482cf9c47a25bb86210076c9e3d31d
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Roaming\config\quickmod\ParentID\actions\sbssystementerpriseservices.dll
executable
MD5: 98b030cfcec9b1981befd6fe1bf29d6b
SHA256: d25d6d7675f6e0233162b189cdebefde95d2a3e7fa61c6cbe4729a3a4943102c
3688
cmd.exe
C:\Users\admin\AppData\Roaming\F63AAA\A71D80.exe
executable
MD5: 40d777b7a95e00593eb1568c68514493
SHA256: 0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\aspnetregbrowsers.exe
executable
MD5: a394c927a7ad7befdf7136144232a13a
SHA256: 59146d16e5a1b9c2e47eb1447e6ae2fa403c4182107e893a7cf33c81e8023a54
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\regcap.exe
executable
MD5: 5fe8a1a2693fb4be7eab5190c15a9207
SHA256: 3ce855f86c63158d1d9f45da7e6b6096e107dc9bca2928b02b79e08a354d040b
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\crtowordsjp.dll
executable
MD5: 3e4bcf2de196ef44475f8962d2c510a7
SHA256: 6b939ca71a60206953cea7340bc3754b7edefb77fffbd98a6a78ec08fd667834
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\VsMacroHierarchyLib.dll
executable
MD5: fa8b9b8c019621ee87f6dc589a50db99
SHA256: 165882e496e37ceb73174d921d7a07de38750c5e43f2bc4f0f8a052faa5a5b97
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\ZipExeStub.exe
executable
MD5: 69aa866258d8c730bf1feffeabe57fa5
SHA256: 0e1d1b6545d1162c755e0b22c97dfd337dfc64fb8791704a93c84d448b44511f
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\nsaA7F9.tmp\System.dll
executable
MD5: fbe295e5a1acfbd0a6271898f885fe6a
SHA256: a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\thresholds.xml
xml
MD5: 04d4a80687f7073ae81c91907889db42
SHA256: 793fa5347285e56cd1591f10a3f0655531465fff5979c7f800bf3d4edbe57b3b
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Roaming\config\quickmod\ParentID\actions\mdrivres.h
text
MD5: bdf6088662559a51666d0719001f26bd
SHA256: 1369534dc903a1b2e45f17338a15228eb1f533d3737d079697661b721bbd609a
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Roaming\config\quickmod\ParentID\actions\sarray.cpp
text
MD5: b9e1e1695cc3ea6e2a79feb2a8cbe871
SHA256: c28000f94b793e508bdc7aaf56205b84ffbfb4587ce10056021251e1e75f9335
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Roaming\config\quickmod\ParentID\actions\17.opends60.dll
binary
MD5: c9aadeb2dff40c7b10d83a0a242aa0c8
SHA256: 66fb73ea5498df675c429833fd0f4e8564c476ff32e41a14c6e30cbe5aeb4f99
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Roaming\config\quickmod\ParentID\actions\KBTopicTypeFilter80.xml
xml
MD5: d67ecac69c351ac93a9338f439902de2
SHA256: cd2bd40b0646796281aacf23e76ff8b134281844ed84089c71df9adab31d4c56
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Roaming\config\quickmod\ParentID\actions\libmpc3amd64.shlibs
text
MD5: 8f475ec808c7a86112b6e068a7270261
SHA256: fe45308f6f16426749779abf1b417fde8afc0b195b1ab0fd552451ab32b012e4
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\gtk-remove.svg
text
MD5: f009d44ac0b96274b34decf5dd482680
SHA256: 97b672dee37bd562f6e9d5e86a0ad80724c799182c5560cb519c5776bb25e54d
3688
cmd.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f
dbf
MD5: 18b8cfc0185c50383aac0a4f30a9dac8
SHA256: 913e8ced6a447fe791954d382aba52d490513c5d2f689b391866c7e561f89a03
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\RemotingCrossAppDomain.zip
compressed
MD5: 5ef75ab1566a385327135ba1cf26ce50
SHA256: 3aba97581058f23191ba831e5b5593b0592c4d83af8a9f798bc07249ba9b69a3
3688
cmd.exe
C:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdb
text
MD5: 5302b1b5ec232d44e2d9507fb847fc49
SHA256: 20b58a25872b1e3f7d47dae0c090acf229c49b6e33939934513499cc37bb2684
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\Ogham
binary
MD5: 55a8d5b53fb5afd22e0929b91b8b182b
SHA256: 23427b1614da4183fc7eed440f6499d7160543068e4976b3819427ca3bb616ba
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\croseci2c.ko
o
MD5: 982ef9265a0408838723cfec9d529022
SHA256: 85ad8fbf5405a22284f68903960f3f4039b429f9bce1c350a5f7dd59842e8485
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\vnd.android.package-archive.xml
xml
MD5: dc571042d83000283e6f697c62b0bf93
SHA256: 7687fd25a5c2709c28ff4af9dac64fe6fb496688f7a75cc44d80719d5abe528a
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\Local903113851vbcalendar1.gif
image
MD5: d407f091e74fdc406007dc52583b72b1
SHA256: 965f56b03d76936a329716fda679a4e2a74df0c0a81550d1029394edaf94b284
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\io.pagure.lohit.tamil.font.metainfo.xml
xml
MD5: dfd6ece482b01ba11184d93d4578e77a
SHA256: f9aa0a05b7a957154e5d280f9c60680499860a2ecd824cdaed7682c2c96308ec
3688
cmd.exe
C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
––
MD5:  ––
SHA256:  ––
2748
SKBM Purchase Order ZE5 471144308,pdf.exe
C:\Users\admin\AppData\Local\Temp\product.xdr
xml
MD5: 476e60ddf5f74432da30c759217f9c57
SHA256: ac67fe1a8338b98b8c88400484513ad052f88b470835bfe671847c444ecde8c0
3688
cmd.exe
C:\Users\admin\AppData\Local\Temp\36ed129c.lnk
lnk
MD5: e757a466834b86cc20d33dbfd6ad1063
SHA256: 695942d0e36d0dadf9f805b5a975c54c3ba8caf8a62c25851c48ebed39f2cc5e

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
0
Threats
26

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3688 cmd.exe POST 404 86.106.102.103:80 http://86.106.102.103/Sammybiggy/fre.php RU
binary
text
malicious
3688 cmd.exe POST 404 86.106.102.103:80 http://86.106.102.103/Sammybiggy/fre.php RU
binary
text
malicious
3688 cmd.exe POST 404 86.106.102.103:80 http://86.106.102.103/Sammybiggy/fre.php RU
binary
binary
malicious
3688 cmd.exe POST 404 86.106.102.103:80 http://86.106.102.103/Sammybiggy/fre.php RU
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3688 cmd.exe 86.106.102.103:80 Mir Telematiki Ltd RU malicious

DNS requests

No DNS requests.

Threats

PID Process Class Message
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot User-Agent (Charon/Inferno)
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot Checkin
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3688 cmd.exe A Network Trojan was detected MALWARE [PTsecurity] Loki Bot Check-in M2
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot User-Agent (Charon/Inferno)
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot Checkin
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3688 cmd.exe A Network Trojan was detected MALWARE [PTsecurity] Loki Bot Check-in M2
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot User-Agent (Charon/Inferno)
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot Checkin
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot Request for C2 Commands Detected M1
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot Request for C2 Commands Detected M2
3688 cmd.exe A Network Trojan was detected MALWARE [PTsecurity] Loki Bot Check-in M2
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot Fake 404 Response
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot User-Agent (Charon/Inferno)
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot Checkin
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot Request for C2 Commands Detected M1
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot Request for C2 Commands Detected M2
3688 cmd.exe A Network Trojan was detected MALWARE [PTsecurity] Loki Bot Check-in M2
3688 cmd.exe A Network Trojan was detected ET TROJAN LokiBot Fake 404 Response

4 ETPRO signatures available at the full report

Debug output strings

No debug info.