General Info

File name

d8db85808e5a45cbad29d9957d75346c.exe

Full analysis
https://app.any.run/tasks/2d8dbe6b-5ecf-4568-87d0-508039f68f6c
Verdict
Malicious activity
Analysis date
6/16/2019, 16:34:11
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

ramnit

virut

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

d8db85808e5a45cbad29d9957d75346c

SHA1

a31a5cb44ee702a885f76e3fd1fa47c7eb85c0eb

SHA256

5dd53df7c10015dcc9a5c4ad6f4d6200082e0f686a29fbf620b0424fcead95ce

SSDEEP

6144:VqajuwruoV3fTsrZU5v8kyteszJy51IRTSAE5:VqajHaK3IrK3f54Ti

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was injected by another process
  • dwm.exe (PID: 1980)
Application was dropped or rewritten from another process
  • DesktopLayer.exe (PID: 2592)
  • d8db85808e5a45cbad29d9957d75346cSrv.exe (PID: 1732)
Runs injected code in another process
  • d8db85808e5a45cbad29d9957d75346c.exe (PID: 3172)
Connects to CnC server
  • iexplore.exe (PID: 2992)
VIRUT was detected
  • dwm.exe (PID: 1980)
RAMNIT was detected
  • iexplore.exe (PID: 2992)
Changes the autorun value in the registry
  • d8db85808e5a45cbad29d9957d75346c.exe (PID: 3172)
Changes the login/logoff helper path in the registry
  • iexplore.exe (PID: 2992)
Executable content was dropped or overwritten
  • d8db85808e5a45cbad29d9957d75346cSrv.exe (PID: 1732)
  • d8db85808e5a45cbad29d9957d75346c.exe (PID: 3172)
Creates files in the program directory
  • iexplore.exe (PID: 2992)
Starts Internet Explorer
  • DesktopLayer.exe (PID: 2592)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.2%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2009:12:04 14:35:59+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
110592
InitializedDataSize:
45056
UninitializedDataSize:
null
EntryPoint:
0x30000
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
5.0.0.8140
ProductVersionNumber:
5.0.0.8140
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Dynamic link library
FileSubtype:
null
LanguageCode:
Chinese (Simplified)
CharacterSet:
Unicode
CompanyName:
360.cn
FileDescription:
360杀毒 启动程序
FileVersion:
5, 0, 0, 8140
InternalName:
360sdrun.exe
LegalCopyright:
(C)360.cn Inc.All Rights Reserved.
OriginalFileName:
360sdrun.exe
ProductName:
360杀毒
ProductVersion:
5, 0, 0, 8140
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
04-Dec-2009 13:35:59
Detected languages
Chinese - PRC
CompanyName:
360.cn
FileDescription:
360杀毒 启动程序
FileVersion:
5, 0, 0, 8140
InternalName:
360sdrun.exe
LegalCopyright:
(C)360.cn Inc.All Rights Reserved.
OriginalFilename:
360sdrun.exe
ProductName:
360杀毒
ProductVersion:
5, 0, 0, 8140
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
7
Time date stamp:
04-Dec-2009 13:35:59
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
111 0x00027000 0x00007200 0x00007200 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.77068
.text 0x00001000 0x0001AE62 0x0001B000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 6.52209
.rdata 0x0001C000 0x000040C4 0x00005000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 3.86353
.data 0x00021000 0x000049D1 0x00004000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.98903
.rsrc 0x00026000 0x00001000 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 1.4992
xwtshin 0x0002F000 0x00001000 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rmnet 0x00030000 0x00016000 0x00016000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.90844
Resources
1

360SD

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    ADVAPI32.dll

    SHELL32.dll

    MSVCRT.dll

    WINMM.dll

    WS2_32.dll

    urlmon.dll

    NETAPI32.dll

    WININET.dll

    AVICAP32.dll

    MSVFW32.dll

    WTSAPI32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
34
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

+
drop and start inject start drop and start d8db85808e5a45cbad29d9957d75346c.exe d8db85808e5a45cbad29d9957d75346csrv.exe #VIRUT dwm.exe desktoplayer.exe no specs #RAMNIT iexplore.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1980
CMD
"C:\Windows\system32\Dwm.exe"
Path
C:\Windows\System32\dwm.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Desktop Window Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmredir.dll
c:\windows\system32\dwmcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ole32.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wshtcpip.dll

PID
3172
CMD
"C:\Users\admin\AppData\Local\Temp\d8db85808e5a45cbad29d9957d75346c.exe"
Path
C:\Users\admin\AppData\Local\Temp\d8db85808e5a45cbad29d9957d75346c.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\d8db85808e5a45cbad29d9957d75346c.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\version.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\d8db85808e5a45cbad29d9957d75346csrv.exe
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll

PID
1732
CMD
C:\Users\admin\AppData\Local\Temp\d8db85808e5a45cbad29d9957d75346cSrv.exe
Path
C:\Users\admin\AppData\Local\Temp\d8db85808e5a45cbad29d9957d75346cSrv.exe
Indicators
Parent process
d8db85808e5a45cbad29d9957d75346c.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
SOFTWIN S.R.L.
Description
BitDefender Management Console
Version
106.42.73.61
Modules
Image
c:\users\admin\appdata\local\temp\d8db85808e5a45cbad29d9957d75346csrv.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\users\admin\microsoft\desktoplayer.exe

PID
2592
CMD
C:\Users\admin\Microsoft\DesktopLayer.exe
Path
C:\Users\admin\Microsoft\DesktopLayer.exe
Indicators
No indicators
Parent process
d8db85808e5a45cbad29d9957d75346cSrv.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
SOFTWIN S.R.L.
Description
BitDefender Management Console
Version
106.42.73.61
Modules
Image
c:\users\admin\microsoft\desktoplayer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\apphelp.dll

PID
2992
CMD
"C:\Program Files\Internet Explorer\iexplore.exe"
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
DesktopLayer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll

Registry activity

Total events
152
Read events
19
Write events
133
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
1980
dwm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Dwm_RASAPI32
EnableFileTracing
0
1980
dwm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Dwm_RASAPI32
EnableConsoleTracing
0
1980
dwm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Dwm_RASAPI32
FileTracingMask
4294901760
1980
dwm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Dwm_RASAPI32
ConsoleTracingMask
4294901760
1980
dwm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Dwm_RASAPI32
MaxFileSize
1048576
1980
dwm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Dwm_RASAPI32
FileDirectory
%windir%\tracing
1980
dwm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Dwm_RASMANCS
EnableFileTracing
0
1980
dwm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Dwm_RASMANCS
EnableConsoleTracing
0
1980
dwm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Dwm_RASMANCS
FileTracingMask
4294901760
1980
dwm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Dwm_RASMANCS
ConsoleTracingMask
4294901760
1980
dwm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Dwm_RASMANCS
MaxFileSize
1048576
1980
dwm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Dwm_RASMANCS
FileDirectory
%windir%\tracing
1980
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1980
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3172
d8db85808e5a45cbad29d9957d75346c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SVCSHOST
C:\Users\admin\AppData\Local\Temp\d8db85808e5a45cbad29d9957d75346c.exe
2992
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
c:\windows\system32\userinit.exe,,c:\users\admin\microsoft\desktoplayer.exe

Files activity

Executable files
2
Suspicious files
0
Text files
109
Unknown types
0

Dropped files

PID
Process
Filename
Type
3172
d8db85808e5a45cbad29d9957d75346c.exe
C:\Users\admin\AppData\Local\Temp\d8db85808e5a45cbad29d9957d75346cSrv.exe
executable
MD5: 69b6a317b0e8026fdb735d87c8831269
SHA256: dc85c225e01d1d949bdc4f13dff611cf6d196bda4b739b72adadd666279d36da
1732
d8db85808e5a45cbad29d9957d75346cSrv.exe
C:\Users\admin\Microsoft\DesktopLayer.exe
executable
MD5: 69b6a317b0e8026fdb735d87c8831269
SHA256: dc85c225e01d1d949bdc4f13dff611cf6d196bda4b739b72adadd666279d36da
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Vigtigt.htm
html
MD5: 1c04719288818922d6393be3fb156d43
SHA256: 3e0078afa15335c55aee5c3474fbd556ac3e889ec40f02252508e00fdb89a3e6
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeUKR.htm
html
MD5: 05423678b5696647f39bd49572a8a810
SHA256: 3ec49e5ce334a29ad46382bc156d593fd548f421d4d4c186f1565aec6dc5614f
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeSKY.htm
html
MD5: f1ac4b49d5bb9247124281b8fce86b31
SHA256: 4a6d87108f19637e59539a903880357af6b8392e50247d33e9afccd12b7663b3
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeRUS.htm
html
MD5: 8ba81afa5c77377d9c6314fca43197c0
SHA256: 6379809f2292789dff0f3e47a79b4100f610db6bb6e2e6a04b4c93a92d84134f
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeRUM.htm
html
MD5: e4ae35582b89c5d3af0ee095a3b5d6be
SHA256: d52cb71ff1e5d9fdb1f617e3078a85cd7b3e41fb2c31c5008203c63f101531eb
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMePOL.htm
html
MD5: 74eaab987257608e64ef8df60c0da5ec
SHA256: 9abdbf922ab6c8e3e72c75e336c5873c1021e24f6cc458501812f711d165009d
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeK.htm
html
MD5: a4c4b8be9a5e342d8168290d58af7590
SHA256: 67be9981702ffcf03771f56db60ad89650347d3a1b82982df6007b3036ac47a3
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeJ.htm
html
MD5: 52d0496a5a3a8765da49183844ee3034
SHA256: 0495a3420118cbc42dc5b65630f7bcb058d80083440f8eae5762267348e1ae75
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeHUN.htm
html
MD5: 41126ca1cd09444835f89759b467b702
SHA256: c32ed5e34fcb71f4c64f393d630a097b707a8fc4dea60ad9280a04cfb8db0950
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeHRV.htm
html
MD5: 78970af49717280a7b53ad4a96e88c03
SHA256: c0cbe7f955f3936254fb38abb76194c5dd362fe11310f8271909094166ea9571
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeCZE.htm
html
MD5: c73d180e872b46022a91c421d66e3b5e
SHA256: 10cc0327affc0477e414498eb033f618242730b0787cd6d5f332afdd848c633a
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeCT.htm
html
MD5: 2e80be78812cadbf86e630a20580e573
SHA256: a94ec420798c57539b7be7609fb41dde54fda29c5d27aff23ab5da6fea95fb32
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeCS.htm
html
MD5: 8bf5aea42c585d4f6c9d2c5353ad3fa0
SHA256: db31b09dc20c0a591d6aca324bcb8e2578862a3ab29ef58498b57c4118a0f81b
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMe.htm
html
MD5: 694668d833ba1e32e2a80e8959b81a1b
SHA256: 6650a9d12f1902440d68bd01b6a5c662002551a3be874a7aa4cc16b513a3754c
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html
html
MD5: e960e07e3ee59e430162312fffbb3e40
SHA256: 942f48211311930103237cc70bd4d3a0d28a7f0bf4dc23b12e9d7fc0e95ebf39
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\UKR\license.html
xml
MD5: f5a0c9a794ffb199a740c7a2e7afdb90
SHA256: 20e930122c04649f87831c3e95821c99602821877a7e7235cf2ce6b3bfe7bbd4
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\TUR\license.html
xml
MD5: ed9ca2de5909a823461d11a5c19e40ed
SHA256: cc68e290f8e8fcc2aedf8b711f4504d15570e28d80c9deb34a516268a1abaabd
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\SVE\license.html
xml
MD5: a887b0c3a3b227e1de749e6181f71df0
SHA256: 994ae4591fc73a9cc0fd2e02c01940f550a503353f8f317863a6ec9f2401b303
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\SUO\license.html
xml
MD5: a1e29ddc1b08eb43cb7258204e0965f6
SHA256: b981ff79456e18d118aa4ee56297689dde667c8b1b6ccecca5c7b96777936626
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\SLV\license.html
xml
MD5: 2fb4cb7aeba638a7f28313d7ac0479ec
SHA256: 13a84d105508a01b56d313e088a352ac032a94a23112de38d0932ec312d35ba7
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\SKY\license.html
xml
MD5: 796f7078cf6e4a8d28bc389ecca0e574
SHA256: 64c94f58f1bd72efc87b5f25c2df90bac229532ca7fa2181d13da39d0d8d8151
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\RUS\license.html
xml
MD5: 21f242bd860b333fb7a80a6f1e4a6278
SHA256: 6cb22add629e22c972f9a153ccfcec07db810d2c2964cddab6a872b2055cf4bd
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\RUM\license.html
xml
MD5: ce5ec042180afd0b982dddd2d442e422
SHA256: b883090696763ac1d7c401ed09bf613cb19d0d9e7bc5d2200272b582c6a70bde
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\PTB\license.html
xml
MD5: 6fc11689f4a667d829ff63c01d9c5c43
SHA256: 3e6ea4fa0679750e8f735b97db5b1b1c7cf8546c2af396d64b83775d7bf687ee
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\POL\license.html
xml
MD5: 058a4b5eb777efd2e4a2fad97789ae4b
SHA256: f942a487ffbb1547eee4b7fc4379856279efadb80c26060943bc340a217cd6b1
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\NOR\license.html
xml
MD5: 803ccea1e469a9d6966f6b0a8805f11e
SHA256: b9ab1b54198a04815ccf9aa428f67adbba5f3a5fe12c5701374c89222670c087
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\NLD\license.html
xml
MD5: 4ec5f0488179ea74748a9b3936b04ab5
SHA256: b3db3d1f0675fd8d7a4cc646e9540cedeab1e2b9525be6ce9e706c9a4cdcda9e
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\KOR\license.html
xml
MD5: e7093917a0b9c116af0ca3129b9dd7d4
SHA256: 1db627c0fd47a1bb88a38e2e3866bbfd987e17fab2d9cdeff5825ed0adf4c8eb
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\JPN\license.html
xml
MD5: e5d40230d217eda0b061aca536fe4dda
SHA256: 17697e17d5f22a623457cc485ece597cdb6568056f665f93fa793bc88d615d74
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\ITA\license.html
xml
MD5: ef4b220e955b98d2e5709a8ef4836a27
SHA256: fc915195bb101236939a7bf02a47d9fc501d923111da072bb2c76eee231e9283
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\HUN\license.html
xml
MD5: 357266d2c0eca2eb9c9b62aa0ca1024c
SHA256: f8453bafb59789370828a8f87fec99f78f060a250b3c2d989e77609e6e11e69a
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\HRV\license.html
xml
MD5: 6af29eebf22b9b8b39bb1fa8ae159973
SHA256: 8d376126167a4222e87526cb2f431f198831cd968b61955c885a5220a0402ec2
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\FRA\license.html
xml
MD5: d84d686087bf22cd30e6c41c64225d92
SHA256: 89669026b9b618dea47f3007d406b5a04ba0f8295bf14ba20493ed2e4c8d9a08
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\EUQ\license.html
xml
MD5: 784a0efe03afa9d90c3741df5ccc5432
SHA256: ed11971ee2a4595d771b9b0d02cc0d583d113dea5bd875650ec0ff09de7268a7
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\ESP\license.html
xml
MD5: 3b902c11767879359b503a47b0c98126
SHA256: 19d35fd35c6d4d12d3cce255231badfe2b8157cfbf325b741cd44a96827087b6
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html
xml
MD5: 8c317728aa718e6ba72beae8262ab401
SHA256: 4d639edad81032e5582eadf822e433965d3b8955021d426371f135d468fd54d8
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\DEU\license.html
xml
MD5: 586f71f062ced82e2fb3710d464685da
SHA256: 899766b4f9b0c1a28127921160a31d287f3471d62d0555d9c165559c0d91bad1
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\DAN\license.html
xml
MD5: b370c5933980fd50556ce234ce050162
SHA256: aaff1ad4875b905cabcb756ddb369673eb229e25465c321966d3205966a558a3
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CZE\license.html
xml
MD5: 22758e8cac33f986cee8a41b68cb6c86
SHA256: c2343cda85d0bcca10d82eb303173337c4106479f3836bb07de0c7ed8283ffda
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CHT\license.html
xml
MD5: 3c71301f050f559644de7c5c139ed636
SHA256: 8ca08fd15d1749d556a73abd0b471fadb0413d08e7172cfeed1a8aa9d1a73a41
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CHS\license.html
xml
MD5: eaead7a8bf987a747ed7472d4407b0a9
SHA256: f67ee549646c66c26f2c632cf2dccd1bd1949cdd1d6776fe5af83f9859feac9c
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CAT\license.html
xml
MD5: af0a4bfe2ad0c564456c55f056120f63
SHA256: 6885a5a69cd06b37981a9b3bed002cbb6ca65383c8a54ab6210c29a014e9b680
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LueMinut.htm
html
MD5: 2bf0b4a7d11669d1cdc16dca85129c66
SHA256: 09b6e1cfcd7dda44f49aeb2dd9f1cf6f5c3e216a5c7eb26a6b3bea14ce9588ce
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Llegiu-me.htm
html
MD5: ebc408e1b2060729868140b738275264
SHA256: aadb401a01e0291e1919e38c24bffa5de610c82634183a285613877cf316a586
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Lisezmoi.htm
html
MD5: 708fa8779d294d639ae559cd66c5a94f
SHA256: 0fa78a71f11cae07164a664fd86e5a0e95294dcf8ecdb24191cf47db49c4c0bb
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Liesmich.htm
html
MD5: d93309fae7dbc7947d65db5d30b9aca2
SHA256: a4e3470cf278ab090444650a5275c18d0cc11557a097348edd12e7230de0b5c5
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LeiaMe.htm
html
MD5: 10faad2c8bf0adddba039c69344bd36d
SHA256: edc2cca94c9da4125ce4b4999114ccb22ab0d1d06a49f6ead5f0a626e3fb2220
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Leggimi.htm
html
MD5: 02ffdbb7f5d869e47e5c426642024310
SHA256: fc005a3e45acae94cc5d2d89f716a943a35822f5b8797e3bf87a053db6be1ebf
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LeesMij.htm
html
MD5: 522f8e9875a4062312b3bd91d3ed598e
SHA256: 712702b6725be0e94f698eb93718d0b42c41b8fdf1606180da5783b4e39b02bd
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Leame.htm
html
MD5: 2e8adc6f375cdb0567b024796e0db803
SHA256: 4a9bf89f9dac889cdc945d43024cb5e678d1bbad6d71b9bf4acadd5b96bfb4a9
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\IrakHau.htm
html
MD5: 077f731ace8cee2f963c89ef8820fce8
SHA256: 639c465f76480ac8d7d96c8e63eb964aafd70a741031944c4068b08474923f90
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Berime.htm
html
MD5: d8cadfa1610ab8f9a090107475f7afe6
SHA256: ea31a008c6586d6c5ff895f38b22402b491e9d93c47878adba2fff75ee665d33
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Benioku.htm
html
MD5: 277a343351133692bb76e307b658a659
SHA256: 6c038a327f0b396e3c084020aa38f32f6e65fb1857ba3294ab4e38877e380c61
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Viktigt.htm
html
MD5: bb332bde22d6f4083d94aa243ae9b136
SHA256: 545b94f934d9ce4ecfa62c0655b9df9e3697983c94dc44183dafcf13bf126a2a
2992
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Viktig.htm
html
MD5: bcd2f0ac4188637036ce1e7d50026be0
SHA256: e49775556412394a38f440093d95aa96ce7aac0d446a9f866d302edea43358ef

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
30
Threats
10

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3172 d8db85808e5a45cbad29d9957d75346c.exe 121.41.39.145:7443 Hangzhou Alibaba Advertising Co.,Ltd. CN malicious
1980 dwm.exe 148.81.111.121:80 Naukowa I Akademicka Siec Komputerowa Instytut Badawczy PL malicious
2992 iexplore.exe 89.185.44.100:443 Claranet Ltd FR malicious
2992 iexplore.exe 172.217.16.142:80 Google Inc. US whitelisted

DNS requests

Domain IP Reputation
ilo.brenz.pl 148.81.111.121
malicious
fget-career.com 89.185.44.100
malicious
google.com 172.217.16.142
whitelisted
bgiuhv.com No response unknown
ant.trenz.pl 148.81.111.121
malicious
aeccpb.com No response unknown
zqxaru.com No response unknown
yeyiqj.com No response unknown
vvfese.com No response unknown
eeauie.com No response unknown
iydjzh.com No response unknown
awiiyv.com No response unknown
nlcvst.com No response unknown
uqpiua.com No response unknown
uqiihi.com No response unknown
ixmuxj.com No response unknown
mkuedh.com No response unknown
riiher.com No response unknown
afvphf.com No response unknown
humtqm.com No response unknown
kyasyb.com No response unknown
xnabad.com No response unknown
qsgzxf.com No response unknown
ylxpnc.com No response unknown
zdlrbj.com No response unknown
orzank.com No response unknown
bhhdkr.com No response unknown
yncecg.com No response unknown
sslwug.com No response unknown
nzizzn.com No response unknown

Threats

PID Process Class Message
–– –– A Network Trojan was detected ET TROJAN Known Hostile Domain ilo.brenz .pl Lookup
2992 iexplore.exe A Network Trojan was detected ET TROJAN Win32/Ramnit Checkin
2992 iexplore.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Ramnit Checkin
2992 iexplore.exe A Network Trojan was detected ET TROJAN Win32/Ramnit Checkin
2992 iexplore.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Ramnit Checkin
1980 dwm.exe A Network Trojan was detected MALWARE [PTsecurity] Backdor.W32/Virut
–– –– A Network Trojan was detected ET TROJAN Known Hostile Domain ant.trenz .pl Lookup
1980 dwm.exe A Network Trojan was detected MALWARE [PTsecurity] Backdor.W32/Virut
2992 iexplore.exe A Network Trojan was detected MALWARE [PTsecurity] Banker Ramnit CnC Connection

1 ETPRO signatures available at the full report

Debug output strings

No debug info.