General Info Watch the FULL Interactive Analysis at ANY.RUN!

File name

34d7012917e69cf379d3c451287f8bf2f7e0b39d752ad3fb889a92473ff97b7c

Verdict
Malicious activity
Analysis date
12/6/2018, 16:56:24
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
neutrino
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

ca446756d4bc97182b8288d471f9a138

SHA1

1113d6f6724153b0b2603f9a3e24a3f97ffb8a30

SHA256

34d7012917e69cf379d3c451287f8bf2f7e0b39d752ad3fb889a92473ff97b7c

SSDEEP

3072:+TncqPcvClNcy5jUg8ov5ZsxTFEDk2b97:i9gCV5ySkEDk2B7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Connects to CnC server
  • jevgr.exe (PID: 2968)
NEUTRINO was detected
  • jevgr.exe (PID: 2968)
Changes the autorun value in the registry
  • jevgr.exe (PID: 3800)
Runs PING.EXE for delay simulation
  • cmd.exe (PID: 2520)
Executable content was dropped or overwritten
  • 34d7012917e69cf379d3c451287f8bf2f7e0b39d752ad3fb889a92473ff97b7c.exe (PID: 3100)
Starts itself from another location
  • 34d7012917e69cf379d3c451287f8bf2f7e0b39d752ad3fb889a92473ff97b7c.exe (PID: 3100)
Application launched itself
  • jevgr.exe (PID: 3800)
Starts CMD.EXE for commands execution
  • jevgr.exe (PID: 3800)
  • 34d7012917e69cf379d3c451287f8bf2f7e0b39d752ad3fb889a92473ff97b7c.exe (PID: 3100)
Uses NETSH.EXE for network configuration
  • cmd.exe (PID: 3488)
Creates files in the user directory
  • 34d7012917e69cf379d3c451287f8bf2f7e0b39d752ad3fb889a92473ff97b7c.exe (PID: 3100)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win64 Executable (generic) (64.6%)
.dll
|   Win32 Dynamic Link Library (generic) (15.4%)
.exe
|   Win32 Executable (generic) (10.5%)
.exe
|   Generic Win/DOS Executable (4.6%)
.exe
|   DOS Executable Generic (4.6%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2016:10:01 00:35:56+02:00
PEType:
PE32
LinkerVersion:
10
CodeSize:
22528
InitializedDataSize:
80384
UninitializedDataSize:
null
EntryPoint:
0x64fb
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
30-Sep-2016 22:35:56
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000E8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
4
Time date stamp:
30-Sep-2016 22:35:56
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x000056C6 0x00005800 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 6.13656
.rdata 0x00007000 0x00000468 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.28239
.data 0x00008000 0x000130C4 0x00012E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.77346
.reloc 0x0001C000 0x000001FA 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.05106
Resources

No resources.

Imports
    KERNEL32.dll

    SHLWAPI.dll

    MSVCRT.dll

Exports

    No exports.

Screenshots

Processes

Total processes
38
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

+
drop and start start 34d7012917e69cf379d3c451287f8bf2f7e0b39d752ad3fb889a92473ff97b7c.exe jevgr.exe cmd.exe no specs ping.exe no specs cmd.exe no specs netsh.exe no specs #NEUTRINO jevgr.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3100
CMD
"C:\Users\admin\AppData\Local\Temp\34d7012917e69cf379d3c451287f8bf2f7e0b39d752ad3fb889a92473ff97b7c.exe"
Path
C:\Users\admin\AppData\Local\Temp\34d7012917e69cf379d3c451287f8bf2f7e0b39d752ad3fb889a92473ff97b7c.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\34d7012917e69cf379d3c451287f8bf2f7e0b39d752ad3fb889a92473ff97b7c.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\z0bazwxx\jevgr.exe

PID
3800
CMD
C:\Users\admin\AppData\Roaming\Z0BAZwxx\jevgr.exe
Path
C:\Users\admin\AppData\Roaming\Z0BAZwxx\jevgr.exe
Indicators
Parent process
34d7012917e69cf379d3c451287f8bf2f7e0b39d752ad3fb889a92473ff97b7c.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\roaming\z0bazwxx\jevgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
2520
CMD
/a /c ping 127.0.0.1 -n 3&del "C:\Users\admin\AppData\Local\Temp\34D701~1.EXE"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
34d7012917e69cf379d3c451287f8bf2f7e0b39d752ad3fb889a92473ff97b7c.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3040
CMD
ping 127.0.0.1 -n 3
Path
C:\Windows\system32\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

PID
3488
CMD
/a /c netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\admin\AppData\Roaming\Z0BAZwxx\jevgr.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
jevgr.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
4000
CMD
netsh advfirewall firewall add rule name="Z0BAZwxx" dir=in action=allow program="C:\Users\admin\AppData\Roaming\Z0BAZwxx\jevgr.exe"
Path
C:\Windows\system32\netsh.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\rasmontr.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\odbcint.dll
c:\windows\system32\nshwfp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\slc.dll
c:\windows\system32\dhcpcmonitor.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpqec.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\wshelper.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\nshhttp.dll
c:\windows\system32\httpapi.dll
c:\windows\system32\fwcfg.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll
c:\windows\system32\authfwcfg.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\winipsec.dll
c:\windows\system32\ifmon.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\nci.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\netiohlp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\whhelper.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\hnetmon.dll
c:\windows\system32\netshell.dll
c:\windows\system32\shell32.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rpcnsh.dll
c:\windows\system32\dot3cfg.dll
c:\windows\system32\dot3api.dll
c:\windows\system32\atl.dll
c:\windows\system32\eappcfg.dll
c:\windows\system32\onex.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\napmontr.dll
c:\windows\system32\certcli.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\nshipsec.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\activeds.dll
c:\windows\system32\adsldpc.dll
c:\windows\system32\polstore.dll
c:\windows\system32\nettrace.dll
c:\windows\system32\ndfapi.dll
c:\windows\system32\wdi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\tdh.dll
c:\windows\system32\wcnnetsh.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\p2pnetsh.dll
c:\windows\system32\p2p.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\wlancfg.dll
c:\windows\system32\wlanhlp.dll
c:\windows\system32\wwancfg.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\peerdistsh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\qagent.dll
c:\windows\system32\napipsec.dll
c:\windows\system32\tsgqec.dll
c:\windows\system32\eapqec.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\bcryptprimitives.dll

PID
2968
CMD
"C:\Users\admin\AppData\Roaming\Z0BAZwxx\jevgr.exe"
Path
C:\Users\admin\AppData\Roaming\Z0BAZwxx\jevgr.exe
Indicators
Parent process
jevgr.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\roaming\z0bazwxx\jevgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll

Registry activity

Total events
90
Read events
25
Write events
65
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3800
jevgr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
3800
jevgr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
3800
jevgr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
jevgr.exe
C:\Users\admin\AppData\Roaming\Z0BAZwxx\jevgr.exe
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-100
DHCP Quarantine Enforcement Client
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-101
Provides DHCP based enforcement for NAP
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-103
1.0
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-102
Microsoft Corporation
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-1
IPsec Relying Party
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-2
Provides IPsec based enforcement for Network Access Protection
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-4
1.0
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-3
Microsoft Corporation
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-100
RD Gateway Quarantine Enforcement Client
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-101
Provides RD Gateway enforcement for NAP
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-102
1.0
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-103
Microsoft Corporation
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-100
EAP Quarantine Enforcement Client
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-101
Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies.
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-102
1.0
4000
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-103
Microsoft Corporation
2968
jevgr.exe
write
HKEY_CURRENT_USER\Software\Z0BAZwxx
a
aHR0cDovL2NvbGVrdGl2LmluZm8vcGFuZWwvdGFza3MucGhw
2968
jevgr.exe
write
HKEY_CURRENT_USER\Software\Z0BAZwxx
d
06.12.2018
2968
jevgr.exe
write
HKEY_CURRENT_USER\Software\Z0BAZwxx
1401076386715766
0
2968
jevgr.exe
write
HKEY_CURRENT_USER\Software\Z0BAZwxx
r
5

Files activity

Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID Process Filename Type
3100 34d7012917e69cf379d3c451287f8bf2f7e0b39d752ad3fb889a92473ff97b7c.exe C:\Users\admin\AppData\Roaming\Z0BAZwxx\jevgr.exe executable

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
4
TCP/UDP connections
52
DNS requests
102
Threats
9

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2968 jevgr.exe POST 404 145.239.88.201:80 http://colektiv.info/panel/tasks.php PL
text
html
malicious
2968 jevgr.exe POST 404 145.239.88.201:80 http://colektiv.info/panel/tasks.php PL
text
html
malicious
2968 jevgr.exe POST 404 145.239.88.201:80 http://colektiv.info/panel/tasks.php PL
text
html
malicious
2968 jevgr.exe POST 404 145.239.88.201:80 http://colektiv.info/panel/tasks.php PL
text
html
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2968 jevgr.exe 107.161.16.236:53 RamNode LLC US unknown
2968 jevgr.exe 138.68.128.160:53 Digital Ocean, Inc. GB unknown
2968 jevgr.exe 95.85.9.86:53 Digital Ocean, Inc. NL unknown
2968 jevgr.exe 145.239.88.201:80 OVH SAS PL malicious
2968 jevgr.exe 62.117.121.194:53 OJSC Comcor RU unknown
2968 jevgr.exe 178.17.170.133:53 I.C.S. Trabia-Network S.R.L. MD unknown
2968 jevgr.exe 185.14.29.140:53 ITL Company NL unknown
2968 jevgr.exe 198.251.86.12:53 FranTech Solutions US unknown
2968 jevgr.exe 178.63.145.236:53 Hetzner Online GmbH DE unknown
2968 jevgr.exe 37.187.0.40:53 OVH SAS FR unknown
2968 jevgr.exe 128.199.248.105:53 Digital Ocean, Inc. SG unknown
2968 jevgr.exe 8.8.8.8:53 Google Inc. US whitelisted

DNS requests

Domain IP Reputation
ns.dotbit.me 107.161.16.236
shared
colektiv.info No response malicious
alors.deepdns.cryptostorm.net 62.117.121.194
unknown
onyx.deepdns.cryptostorm.net 62.117.121.194
suspicious
ns1.any.dns.d0wn.biz 198.251.86.12
suspicious
ns1.random.dns.d0wn.biz 178.17.170.133
suspicious
ns2.random.dns.d0wn.biz 185.14.29.140
suspicious
anyone.dnsrec.meo.ws No response unknown
ist.fellig.org 178.63.145.236
unknown
civet.ziphaze.com 138.68.128.160
unknown
ns2.fr.dns.d0wn.biz 37.187.0.40
suspicious
ns1.sg.dns.d0wn.biz 128.199.248.105
suspicious
ns1.nl.dns.d0wn.biz 95.85.9.86
unknown

Threats

PID Process Class Message
2968 jevgr.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Neutrino check-in m2
2968 jevgr.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Neutrino checkin
2968 jevgr.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Neutrino check-in m1
2968 jevgr.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Neutrino check-in m1
2968 jevgr.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Neutrino check-in m1

4 ETPRO signatures available at the full report

Debug output strings

No debug info.