Malware analysis http://www.bullzip.com/ Malicious activity

Add for printing

URL:	http://www.bullzip.com/
Full analysis:	https://app.any.run/tasks/7656391c-c52d-4a84-80e3-b4e4b2cab3e8
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	August 14, 2018, 16:30:50
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	loader
Indicators:
MD5:	C6416CBE432B03A2EB81D14DEC1B6824
SHA1:	F8DFF07BFD7174944F1E94B8A23BD8D4E8D99C05
SHA256:	2FF3C1D516516FCF2C9A396A4FFC66BF49300EC8A1394591C30D54AA8302A551
SSDEEP:	3:N1KJS4wlK:Cc4wlK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: on
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
FileZilla Client 3.31.0 (3.31.0)
Google Chrome (61.0.3163.91)
Google Update Helper (1.3.33.5)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Home and Business 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 (12.0.40660.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 (12.0.40660)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 (12.0.40660)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
Mozilla Firefox 55.0.3 (x86 en-US) (55.0.3)
Mozilla Maintenance Service (55.0.3)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Steam (2.10.91.91)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Downloads executable files from the Internet
  - iexplore.exe (PID: 2908)
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3836)
- Application was dropped or rewritten from another process
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.exe (PID: 868)
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.exe (PID: 2812)
  - Port.exe (PID: 3472)
  - Port.exe (PID: 3776)
- Starts NET.EXE for service management
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3836)
- Loads dropped or rewritten executable
  - regsvr32.exe (PID: 3336)
  - regsvr32.exe (PID: 2312)
  - regsvr32.exe (PID: 3892)
  - regsvr32.exe (PID: 4024)
  - regsvr32.exe (PID: 2564)
  - regsvr32.exe (PID: 2244)
  - regsvr32.exe (PID: 2076)
  - regsvr32.exe (PID: 696)
  - regsvr32.exe (PID: 2172)
  - regsvr32.exe (PID: 3824)
  - regasm.exe (PID: 3876)
  - regasm.exe (PID: 3768)
  - regasm.exe (PID: 2220)
  - regasm.exe (PID: 3832)
  - regsvr32.exe (PID: 3660)
  - regsvr32.exe (PID: 2256)
  - spoolsv.exe (PID: 2296)
  - PrintIsolationHost.exe (PID: 3664)
  - spoolsv.exe (PID: 2156)
  - wmiprvse.exe (PID: 2920)
  - Port.exe (PID: 3776)
  - Port.exe (PID: 3472)
- Registers / Runs the DLL via REGSVR32.EXE
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3836)
SUSPICIOUS
- Executable content was dropped or overwritten
  - iexplore.exe (PID: 2908)
  - iexplore.exe (PID: 2320)
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.exe (PID: 2812)
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.exe (PID: 868)
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3836)
  - gslite.exe (PID: 2396)
  - gslite.tmp (PID: 2672)
  - pdfpowertool_setup.exe (PID: 2148)
  - xpdfsetup.exe (PID: 2848)
  - pdfpowertool_setup.tmp (PID: 1484)
  - xpdfsetup.tmp (PID: 964)
  - spoolsv.exe (PID: 2296)
- Reads Windows owner settings
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3836)
  - gslite.tmp (PID: 2672)
  - pdfpowertool_setup.tmp (PID: 1484)
  - xpdfsetup.tmp (PID: 964)
- Reads the Windows organization settings
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3836)
  - gslite.tmp (PID: 2672)
  - xpdfsetup.tmp (PID: 964)
  - pdfpowertool_setup.tmp (PID: 1484)
- Creates or modifies windows services
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3836)
- Checks supported languages
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3836)
- Creates files in the Windows directory
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3836)
  - spoolsv.exe (PID: 2296)
  - PrintIsolationHost.exe (PID: 3664)
  - wmiprvse.exe (PID: 2920)
  - spoolsv.exe (PID: 2156)
- Creates COM task schedule object
  - regsvr32.exe (PID: 3336)
  - regsvr32.exe (PID: 2172)
  - regasm.exe (PID: 3768)
  - regsvr32.exe (PID: 3824)
  - regasm.exe (PID: 2220)
  - regasm.exe (PID: 3876)
  - regasm.exe (PID: 3832)
- Creates files in the program directory
  - regasm.exe (PID: 3768)
  - regasm.exe (PID: 3876)
  - regasm.exe (PID: 3832)
  - regasm.exe (PID: 2220)
- Reads Internet Cache Settings
  - rundll32.exe (PID: 3588)
- Removes files from Windows directory
  - spoolsv.exe (PID: 2296)
  - spoolsv.exe (PID: 2156)
- Starts Internet Explorer
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3632)
INFO
- Creates files in the user directory
  - iexplore.exe (PID: 2908)
  - FlashUtil32_27_0_0_187_ActiveX.exe (PID: 3732)
  - iexplore.exe (PID: 2320)
  - iexplore.exe (PID: 2576)
  - FlashUtil32_27_0_0_187_ActiveX.exe (PID: 3100)
- Changes internet zones settings
  - iexplore.exe (PID: 2320)
  - iexplore.exe (PID: 2504)
- Reads internet explorer settings
  - iexplore.exe (PID: 2908)
  - iexplore.exe (PID: 2576)
- Application was dropped or rewritten from another process
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3632)
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3836)
  - gslite.tmp (PID: 2672)
  - gslite.exe (PID: 2396)
  - pdfpowertool_setup.exe (PID: 2148)
  - xpdfsetup.exe (PID: 2848)
  - pdfpowertool_setup.tmp (PID: 1484)
  - xpdfsetup.tmp (PID: 964)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 2908)
  - iexplore.exe (PID: 2576)
- Reads settings of System Certificates
  - iexplore.exe (PID: 2908)
- Dropped object may contain URL's
  - iexplore.exe (PID: 2320)
  - iexplore.exe (PID: 2908)
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3836)
  - gslite.tmp (PID: 2672)
  - pdfpowertool_setup.tmp (PID: 1484)
  - xpdfsetup.tmp (PID: 964)
  - PrintIsolationHost.exe (PID: 3664)
  - spoolsv.exe (PID: 2296)
  - iexplore.exe (PID: 2504)
  - iexplore.exe (PID: 2576)
- Loads dropped or rewritten executable
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3836)
  - gslite.tmp (PID: 2672)
  - pdfpowertool_setup.tmp (PID: 1484)
  - xpdfsetup.tmp (PID: 964)
- Creates files in the program directory
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3836)
  - gslite.tmp (PID: 2672)
  - pdfpowertool_setup.tmp (PID: 1484)
  - xpdfsetup.tmp (PID: 964)
- Creates a software uninstall entry
  - Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp (PID: 3836)
- Dropped object may contain Bitcoin addresses
  - spoolsv.exe (PID: 2296)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

184

Monitored processes

107

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

116

C:\Windows\system32\net1 start spooler

C:\Windows\system32\net1.exe

—

net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll

300

"C:\Windows\system32\net.exe" STOP SPOOLER /Y

C:\Windows\system32\net.exe

—

Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll

696

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\CBLCtlsU.ocx"

C:\Windows\system32\regsvr32.exe

—

Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

776

"C:\Windows\system32\net.exe" STOP SPOOLER /Y

C:\Windows\system32\net.exe

—

Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\nsi.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll

776

C:\Windows\system32\net1 STOP SPOOLER /Y

C:\Windows\system32\net1.exe

—

net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll

828

C:\Windows\system32\net1 STOP SPOOLER /Y

C:\Windows\system32\net1.exe

—

net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll

868

"C:\Users\admin\Desktop\Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.exe"

C:\Users\admin\Desktop\Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.exe

iexplore.exe

User:

admin

Company:

Bullzip

Integrity Level:

MEDIUM

Description:

Bullzip PDF Printer Professional and Expert Setup

Exit code:

Version:

11.7.0.2716

Modules

Images
c:\users\admin\desktop\setup_bullzippdfprinter_11_7_0_2716_pro_exp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

916

C:\Windows\system32\net1 STOP SPOOLER /Y

C:\Windows\system32\net1.exe

—

net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll

964

"C:\Users\admin\AppData\Local\Temp\is-OFDA5.tmp\xpdfsetup.tmp" /SL5="$41010E,690880,119296,C:\Users\admin\AppData\Local\Temp\is-LF0HE.tmp\xpdfsetup.exe" /verysilent /auto /noregistry /nouninstallregkey /dir="C:\Program Files\Bullzip\PDF Printer\xpdf"

C:\Users\admin\AppData\Local\Temp\is-OFDA5.tmp\xpdfsetup.tmp

xpdfsetup.exe

User:

admin

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-ofda5.tmp\xpdfsetup.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

964

C:\Windows\system32\net1 STOP SPOOLER /Y

C:\Windows\system32\net1.exe

—

net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\devobj.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\sfc.dll
c:\windows\system32\duser.dll
c:\windows\system32\sspicli.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\imageres.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\shfolder.dll

Add for printing

Total events

7 647

Read events

2 560

Write events

4 291

Delete events

796

Modification events


(PID) Process:	(2320) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(2320) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2320) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(2320) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:	write	Name:	SecuritySafe
Value: 1
(PID) Process:	(2320) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2320) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 4600000048000000010000000000000000000000000000000000000000000000B096B68868EBD301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000D8BFD602040000000000000000000000000000000000000000000000F4BFD602040000000000000000000000000000000000000000000000D8372A0000000000FFFFFFFF000000000000000000000000010000002E00000000000000000000000000000002000000C0A801640000000000000000D84ED505AC02000005000000010000000000000000000000010000000000000000000000BF060000000000000000000000000000000000001000000088C0D60204000000000000000000000000000000000000000000000000000000C8E40C00000000000C0000000000000000000000
(PID) Process:	(2320) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:	write	Name:	{76B3235B-9FDF-11E8-ACE5-5254004AAD11}
Value: 0
(PID) Process:	(2320) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Type
Value: 4
(PID) Process:	(2320) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Count
Value: 10
(PID) Process:	(2320) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Time
Value: E207080002000E0010001F0010002E02

Add for printing

Executable files

104

Suspicious files

Text files

268

Unknown types

160

Dropped files

PID	Process	Filename		Type
2908	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MJG226QK\bullzip_com[1].txt		—
		MD5:—	SHA256:—
2320	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHUAAB7W\favicon[1].ico		—
		MD5:—	SHA256:—
2320	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
2908	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MJG226QK\bullzip_com[1].htm		html
		MD5:575993008D23CF4986E0FD7FED6450F3	SHA256:14A0F83AB69B60248B9E122447D4E42120AFCF586A2F42E533FCDCCD1C9A8E9B
2908	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DSILEDM7\site[1].css		text
		MD5:B08F9C81F0DA9525A71CE1E7399BBCB5	SHA256:216B7A19198AE60C6906710729747EA7EFFB8CD42359B486EAEE5D0A66FF4117
2908	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT		smt
		MD5:392B1D33838A8B71055B0E47AC6EBC93	SHA256:9D1A78B669EABEE452956EA6766931B70827C210B1993C74C2F9E843A79FB383
2908	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XBSSZHSR\css[2].txt		text
		MD5:11E9F58E5FA50B01FAE8B0A4EA1478E6	SHA256:BBC020895B4837D8E59F23239AD3E005B4E6396D924FAE6BF819B84D9946364A
2908	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat		dat
		MD5:CF54D3329369E85F7F15979CC99EFC35	SHA256:060D17B842F07600581B2A1FA651DB1A76FBA4752673CA0149C76FF434632D98
2908	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MJG226QK\script[1].php		html
		MD5:4776BAE9B957DCC2DF26A58249497269	SHA256:56E8238AB5DA6C1873E3D9D954E3A77A3234F38FA471AB3DCFC9CED7CDA99DE4
2908	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XBSSZHSR\bootstrap.min[1].css		text
		MD5:385B964B68ACB68D23CB43A5218FADE9	SHA256:B5FD723750763EBB731F9221E413E7D64D58D5192DC040E42292ED3DCCCCA732

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

134

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2908	iexplore.exe	GET	200	46.30.213.100:80	http://www.bullzip.com/assets/bootstrap/css/bootstrap.min.css	DK	text	17.7 Kb	malicious
2320	iexplore.exe	GET	200	204.79.197.200:80	http://www.bing.com/favicon.ico	US	image	237 b	whitelisted
2908	iexplore.exe	GET	200	216.58.215.234:80	http://fonts.googleapis.com/css?family=PT+Sans	US	text	162 b	whitelisted
2908	iexplore.exe	GET	200	46.30.213.100:80	http://www.bullzip.com/assets/fonts/myriad-pro/style.css	DK	text	298 b	malicious
2908	iexplore.exe	GET	200	216.58.215.227:80	http://fonts.gstatic.com/s/ptsans/v9/jizaRExUiTo99u79D0KEwQ.eot	US	eot	46.6 Kb	whitelisted
2908	iexplore.exe	GET	200	46.30.213.100:80	http://www.bullzip.com/assets/bootstrap/css/bootstrap-theme.min.css	DK	text	2.18 Kb	malicious
2908	iexplore.exe	GET	200	216.58.215.234:80	http://fonts.googleapis.com/css?family=PT+Sans+Caption	US	text	179 b	whitelisted
2908	iexplore.exe	GET	200	216.58.215.238:80	http://www.google-analytics.com/ga.js	US	text	16.7 Kb	whitelisted
2908	iexplore.exe	GET	200	46.30.215.24:80	http://zeropdf.com/script.php?token=b1fd1f8fad542a9e2954acc3111ce0bf	DK	html	748 b	suspicious
2908	iexplore.exe	GET	200	46.30.213.100:80	http://www.bullzip.com/assets/bootstrap/js/bootstrap.min.js	DK	text	8.33 Kb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2908	iexplore.exe	46.30.213.100:80	www.bullzip.com	One.com A/S	DK	unknown
2908	iexplore.exe	216.58.215.234:80	fonts.googleapis.com	Google Inc.	US	whitelisted
2908	iexplore.exe	46.30.215.24:80	zeropdf.com	One.com A/S	DK	suspicious
2320	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
2908	iexplore.exe	216.58.215.238:80	www.google-analytics.com	Google Inc.	US	whitelisted
2908	iexplore.exe	216.58.215.227:80	fonts.gstatic.com	Google Inc.	US	whitelisted
2908	iexplore.exe	31.13.92.14:80	connect.facebook.net	Facebook, Inc.	IE	whitelisted
2908	iexplore.exe	205.185.208.52:443	code.jquery.com	Highwinds Network Group, Inc.	US	unknown
2908	iexplore.exe	192.35.177.64:80	apps.identrust.com	IdenTrust	US	malicious
2908	iexplore.exe	94.31.29.128:80	cdn.bullzip.com	netDNA	GB	malicious

DNS requests

Domain	IP	Reputation
www.bullzip.com	46.30.213.100	malicious
fonts.googleapis.com	216.58.215.234	whitelisted
zeropdf.com	46.30.215.24	suspicious
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
fonts.gstatic.com	216.58.215.227	whitelisted
www.google-analytics.com	216.58.215.238	whitelisted
connect.facebook.net	31.13.92.14	whitelisted
code.jquery.com	205.185.208.52	whitelisted
www.facebook.com	31.13.92.38	whitelisted
apps.identrust.com	192.35.177.64	shared

Threats

PID	Process	Class	Message
2908	iexplore.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3836	Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp	Misc activity	ADWARE [PTsecurity] PUP.Win32/Freemake.A UserAgent
3836	Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp	Misc activity	ADWARE [PTsecurity] PUP.Win32/Freemake.A UserAgent
3836	Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp	Misc activity	ADWARE [PTsecurity] PUP.Win32/Freemake.A UserAgent
3836	Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3836	Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp	Misc activity	ADWARE [PTsecurity] PUP.Win32/Freemake.A UserAgent
3836	Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp	Misc activity	ADWARE [PTsecurity] PUP.Win32/Freemake.A UserAgent
3836	Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp	Misc activity	ADWARE [PTsecurity] PUP.Win32/Freemake.A UserAgent
3836	Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3836	Setup_BullzipPDFPrinter_11_7_0_2716_PRO_EXP.tmp	Misc activity	ADWARE [PTsecurity] PUP.Win32/Freemake.A UserAgent

Add for printing

Process	Message
PrintIsolationHost.exe	Upper DWORD of elapsed time = 0
PrintIsolationHost.exe	Lower DWORD of elapsed time = 156250

General Info

http://www.bullzip.com/

C6416CBE432B03A2EB81D14DEC1B6824

F8DFF07BFD7174944F1E94B8A23BD8D4E8D99C05

2FF3C1D516516FCF2C9A396A4FFC66BF49300EC8A1394591C30D54AA8302A551

3:N1KJS4wlK:Cc4wlK

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Downloads executable files from the Internet

Application was dropped or rewritten from another process

Starts NET.EXE for service management

Loads dropped or rewritten executable

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

Executable content was dropped or overwritten

Reads Windows owner settings

Reads the Windows organization settings

Creates or modifies windows services

Checks supported languages

Creates files in the Windows directory

Creates COM task schedule object

Creates files in the program directory

Reads Internet Cache Settings

Removes files from Windows directory

Starts Internet Explorer

INFO

Creates files in the user directory

Changes internet zones settings

Reads internet explorer settings

Application was dropped or rewritten from another process

Reads Internet Cache Settings

Reads settings of System Certificates

Dropped object may contain URL's

Loads dropped or rewritten executable

Creates files in the program directory

Creates a software uninstall entry

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings