Program did not start
General Info
- File name
-
jiazt
- Verdict
- Malicious activity
- Threats:
-
Emotet is one of the most dangerous trojans to have been created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.
- Analysis date
- 12/2/2019, 22:40:56
- OS:
- Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
- Tags:
-
emotet
trojan
stealer
- Indicators:
- MIME:
- application/x-dosexec
- File info:
- PE32 executable (GUI) Intel 80386, for MS Windows
- MD5
-
150c830e94d8ea723b7620ff20c47337
- SHA1
-
19c6fc075f1788c679dd55317302e2b264795763
- SHA256
-
703f3a385d5dfde1b277ddc8745cd0b854f4bbd2d3bf4d9ec1aca1aa84ae352b
- SSDEEP
-
6144:imtSfyuhgWlFcDGIrtHLkij3V4bSW6KRLPkWvtb:BSqORctrkiDV4o6Lb
Software environment set and analysis options
Launch configuration
- Task duration
- 300 seconds
- Additional time used
- 240 seconds
- Fakenet option
- off
- Heavy Evaision option
- off
- MITM proxy
- off
- Route via Tor
- off
- Network geolocation
- off
- Privacy
- Public submission
- Autoconfirmation of UAC
- on
Software preset
- Internet Explorer 8.0.7601.17514
- Adobe Acrobat Reader DC MUI (15.023.20070)
- Adobe Flash Player 26 ActiveX (26.0.0.131)
- Adobe Flash Player 26 NPAPI (26.0.0.131)
- Adobe Flash Player 26 PPAPI (26.0.0.131)
- Adobe Refresh Manager (1.8.0)
- CCleaner (5.35)
- FileZilla Client 3.36.0 (3.36.0)
- Google Chrome (75.0.3770.100)
- Google Update Helper (1.3.34.7)
- Java 8 Update 92 (8.0.920.14)
- Java Auto Updater (2.8.92.14)
- Microsoft .NET Framework 4.7.2 (4.7.03062)
- Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
- Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
- Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Professional 2010 (14.0.6029.1000)
- Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
- Microsoft Office Proof (English) 2010 (14.0.6029.1000)
- Microsoft Office Proof (French) 2010 (14.0.6029.1000)
- Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
- Microsoft Office Proof (German) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
- Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
- Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Single Image 2010 (14.0.6029.1000)
- Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
- Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
- Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
- Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
- Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
- Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
- Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
- Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
- Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
- Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
- Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
- Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
- Notepad++ (32-bit x86) (7.5.1)
- Opera 12.15 (12.15.1748)
- Skype version 8.29 (8.29)
- Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
- VLC media player (2.2.6)
- WinRAR 5.60 (32-bit) (5.60.0)
Hotfixes
- Client LanguagePack Package
- Client Refresh LanguagePack Package
- CodecPack Basic Package
- Foundation Package
- IE Troubleshooters Package
- InternetExplorer Optional Package
- KB2534111
- KB2999226
- KB4019990
- KB976902
- LocalPack AU Package
- LocalPack CA Package
- LocalPack GB Package
- LocalPack US Package
- LocalPack ZA Package
- ProfessionalEdition
- UltimateEdition
Behavior activities
| MALICIOUS | SUSPICIOUS | INFO |
|---|---|---|
EMOTET was detected
|
Executable content was dropped or overwritten
|
Reads Microsoft Office registry keys
|
Static information
TRiD
.exe
|
Win32 Executable MS Visual C++ (generic) (35.8%)
.exe
|
Win64 Executable (generic) (31.7%)
.scr
|
Windows screen saver (15%)
.dll
|
Win32 Dynamic Link Library (generic) (7.5%)
.exe
|
Win32 Executable (generic) (5.1%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:12:02 21:19:01+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
335872
InitializedDataSize:
262144
UninitializedDataSize:
null
EntryPoint:
0x52b8
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
02-Dec-2019 20:19:01
Detected languages
English - United States
Debug artifacts
\User\Desktop\Visual 6.0\VerySource.com_7786bc849ebf149a2aaf8801acd3fa75b1476ac3-4225451\MFC_Bible\Code\DlgSmpl\WinRel\DlgSmpl.pdb
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000E8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
6
Time date stamp:
02-Dec-2019 20:19:01
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
Sections
| Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000513DC | 0x00052000 | IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ | 5.33887 |
| .rdata | 0x00053000 | 0x0000E58F | 0x0000F000 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ | 3.50595 |
| .data | 0x00062000 | 0x0001BE48 | 0x00018000 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE | 6.75094 |
| .idata | 0x0007E000 | 0x0000339D | 0x00004000 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE | 4.36141 |
| .rsrc | 0x00082000 | 0x00009363 | 0x0000A000 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ | 3.38152 |
| .reloc | 0x0008C000 | 0x0000663E | 0x00007000 | IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ | 5.74513 |
Resources
1
2
3
4
5
6
7
8
9
10
100
128
129
130
131
132
133
134
135
2049
3585
3601
3602
3603
3604
3605
3606
3697
3713
3825
3826
3841
3842
3843
3857
3858
3859
3865
3866
3867
3868
3869
26567
30721
30977
30994
30995
30996
Imports
KERNEL32.dll
USER32.dll
GDI32.dll
comdlg32.dll
WINSPOOL.DRV
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
Exports
No exports.
Screenshots
Processes
Total processes
43
Monitored processes
10
Malicious processes
8
Suspicious processes
0
Behavior graph
–
+
Specs description
Integrity level
elevation
Task сontains an error
or was rebooted
Process has crashed
Task contains several
apps running
Executable file was
dropped
Debug information is
available
Process was injected
Network attacks were
detected
Application downloaded
the executable file
Actions similar to
stealing personal data
Behavior similar to
exploiting the vulnerability
Inspected object has
sucpicious PE structure
File is detected by
antivirus software
CPU overrun
RAM overrun
Process starts the
services
Process was added to
the startup
Behavior similar to
spam
Low-level access to
the HDD
Probably Tor was used
System was rebooted
Connects to the
network
Known threat
Process information
Click at the process to see the details.
- PID
- 1212
- CMD
- "C:\Users\admin\AppData\Local\Temp\jiazt.exe"
- Path
- C:\Users\admin\AppData\Local\Temp\jiazt.exe
- Indicators
- No indicators
- Parent process
- ––
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 0
- Version:
- Company
- Description
- Version
Modules
| Image |
|---|
| c:\windows\system32\shell32.dll |
| c:\users\admin\appdata\local\temp\jiazt.exe |
| c:\windows\system32\userenv.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\cryptbase.dll |
| c:\windows\system32\rsaenh.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\profapi.dll |
| c:\windows\system32\lpk.dll |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\crypt32.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\msasn1.dll |
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\winspool.drv |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\comdlg32.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\system32\apphelp.dll |
- PID
- 3384
- CMD
- --44dd9200
- Path
- C:\Users\admin\AppData\Local\Temp\jiazt.exe
- Indicators
- Parent process
- jiazt.exe
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 0
- Version:
- Company
- Description
- Version
Modules
| Image |
|---|
| c:\windows\system32\user32.dll |
| c:\windows\system32\userenv.dll |
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\winspool.drv |
| c:\windows\system32\sechost.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\shell32.dll |
| c:\windows\system32\comdlg32.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\profapi.dll |
| c:\windows\system32\cryptbase.dll |
| c:\users\admin\appdata\local\temp\jiazt.exe |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\system32\crypt32.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\system32\msasn1.dll |
| c:\windows\system32\lpk.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\rsaenh.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\cryptsp.dll |
| c:\users\admin\appdata\local\serialfunc\ser |
| c:\windows\system32\mssprxy.dll |
| c:\windows\system32\cfgmgr32.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
| c:\windows\system32\ole32.dll |
| c:\windows\system32\ntmarta.dll |
| c:\windows\system32\oleaut32.dll |
| c:\windows\system32\setupapi.dll |
| c:\windows\system32\devobj.dll |
| c:\windows\system32\apphelp.dll |
| c:\windows\system32\clbcatq.dll |
| c:\windows\system32\wldap32.dll |
| c:\windows\system32\propsys.dll |
| c:\windows\system32\rpcrtremote.dll |
- PID
- 2160
- CMD
- "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"
- Path
- C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
- Indicators
- No indicators
- Parent process
- jiazt.exe
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 0
- Version:
- Company
- Description
- Version
Modules
| Image |
|---|
| c:\windows\system32\userenv.dll |
| c:\windows\system32\rsaenh.dll |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\profapi.dll |
| c:\windows\system32\user32.dll |
| c:\users\admin\appdata\local\serialfunc\serialfunc.exe |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\crypt32.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\system32\msasn1.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\system32\cryptbase.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\comdlg32.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\winspool.drv |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\lpk.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
| c:\windows\system32\shell32.dll |
| c:\windows\system32\apphelp.dll |
- PID
- 2056
- CMD
- --d6864438
- Path
- C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
- Indicators
- Parent process
- serialfunc.exe
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 0
- Version:
- Company
- Description
- Version
Modules
| Image |
|---|
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\shell32.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\lpk.dll |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\system32\comdlg32.dll |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\msasn1.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\profapi.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\rsaenh.dll |
| c:\windows\system32\userenv.dll |
| c:\windows\system32\kernelbase.dll |
| c:\users\admin\appdata\local\serialfunc\serialfunc.exe |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\winspool.drv |
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\crypt32.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
| c:\windows\system32\cryptbase.dll |
| c:\windows\system32\ole32.dll |
| c:\windows\system32\wininet.dll |
| c:\windows\system32\urlmon.dll |
| c:\windows\system32\wtsapi32.dll |
| c:\windows\system32\oleaut32.dll |
| c:\windows\system32\iertutil.dll |
| c:\windows\system32\iphlpapi.dll |
| c:\windows\system32\rasman.dll |
| c:\windows\system32\dnsapi.dll |
| c:\windows\system32\nsi.dll |
| c:\windows\system32\nlaapi.dll |
| c:\windows\system32\rtutils.dll |
| c:\windows\system32\sensapi.dll |
| c:\windows\system32\rasadhlp.dll |
| c:\windows\system32\wship6.dll |
| c:\windows\system32\wshtcpip.dll |
| c:\windows\system32\winnsi.dll |
| c:\windows\system32\mswsock.dll |
| c:\windows\system32\ws2_32.dll |
| c:\windows\system32\ntmarta.dll |
| c:\windows\system32\rasapi32.dll |
| c:\windows\system32\wldap32.dll |
| c:\windows\system32\normaliz.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
| c:\windows\system32\wshqos.dll |
| c:\windows\system32\srvcli.dll |
| c:\windows\system32\browcli.dll |
| c:\windows\system32\netapi32.dll |
| c:\windows\system32\wkscli.dll |
| c:\programdata\u2hhigpxmyt8st0s5rk.exe |
| c:\windows\system32\mpr.dll |
| c:\windows\system32\netutils.dll |
| c:\windows\system32\drprov.dll |
| c:\windows\system32\ntlanman.dll |
| c:\windows\system32\cscapi.dll |
| c:\windows\system32\samcli.dll |
| c:\windows\system32\davclnt.dll |
| c:\windows\system32\winsta.dll |
| c:\windows\system32\davhlpr.dll |
| c:\windows\system32\apphelp.dll |
- PID
- 792
- CMD
- "C:\ProgramData\u2hHiGPxmyt8ST0S5rk.exe"
- Path
- C:\ProgramData\u2hHiGPxmyt8ST0S5rk.exe
- Indicators
- No indicators
- Parent process
- serialfunc.exe
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 0
- Version:
- Company
- Description
- Version
Modules
| Image |
|---|
| c:\programdata\u2hhigpxmyt8st0s5rk.exe |
| c:\windows\system32\kernelbase.dll |
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\rsaenh.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\crypt32.dll |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\comdlg32.dll |
| c:\windows\system32\lpk.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\system32\cryptbase.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\profapi.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\system32\shell32.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\winspool.drv |
| c:\windows\system32\userenv.dll |
| c:\windows\system32\msasn1.dll |
| c:\windows\system32\apphelp.dll |
- PID
- 1932
- CMD
- "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" "C:\Users\admin\AppData\Local\Temp\6BDF.tmp"
- Path
- C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
- Indicators
- No indicators
- Parent process
- serialfunc.exe
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 0
- Version:
- Company
- Description
- Version
Modules
| Image |
|---|
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\ole32.dll |
| c:\progra~1\micros~1\office14\olmapi32.dll |
| c:\windows\system32\cryptbase.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll |
| c:\windows\system32\version.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\shell32.dll |
| c:\program files\common files\microsoft shared\office14\cultures\office.odf |
| c:\users\admin\appdata\local\serialfunc\serialfunc.exe |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\lpk.dll |
| c:\windows\system32\advapi32.dll |
| c:\program files\common files\microsoft shared\office14\mso.dll |
| c:\windows\system32\ntmarta.dll |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\msi.dll |
| c:\windows\system32\powrprof.dll |
| c:\program files\common files\microsoft shared\office14\riched20.dll |
| c:\windows\system32\oleaut32.dll |
| c:\windows\system32\devobj.dll |
| c:\progra~1\micros~1\office14\1033\mapir.dll |
| c:\windows\system32\setupapi.dll |
| c:\windows\system32\user32.dll |
| c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll |
| c:\windows\system32\cfgmgr32.dll |
| c:\windows\system32\wldap32.dll |
| c:\windows\system32\msasn1.dll |
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\crypt32.dll |
| c:\windows\system32\rsaenh.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
| c:\windows\system32\iertutil.dll |
| c:\windows\system32\urlmon.dll |
| c:\windows\system32\rpcrtremote.dll |
| c:\progra~1\micros~1\office14\contab32.dll |
| c:\progra~1\micros~1\office14\omsxp32.dll |
| c:\windows\system32\wininet.dll |
| c:\progra~1\micros~1\office14\mspst32.dll |
- PID
- 1096
- CMD
- "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" "C:\Users\admin\AppData\Local\Temp\6C1E.tmp"
- Path
- C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
- Indicators
- Parent process
- serialfunc.exe
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 0
- Version:
- Company
- Description
- Version
Modules
| Image |
|---|
| c:\users\admin\appdata\local\serialfunc\serialfunc.exe |
| c:\windows\system32\user32.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
| c:\windows\system32\cryptbase.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\lpk.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\progra~1\micros~1\office14\olmapi32.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\advapi32.dll |
| c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\shell32.dll |
| c:\windows\system32\cfgmgr32.dll |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\version.dll |
| c:\program files\common files\microsoft shared\office14\mso.dll |
| c:\program files\common files\microsoft shared\office14\cultures\office.odf |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\msi.dll |
| c:\progra~1\micros~1\office14\1033\mapir.dll |
| c:\windows\system32\devobj.dll |
| c:\program files\common files\microsoft shared\office14\riched20.dll |
| c:\windows\system32\setupapi.dll |
| c:\windows\system32\powrprof.dll |
| c:\windows\system32\ntmarta.dll |
| c:\windows\system32\ole32.dll |
| c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll |
| c:\windows\system32\wldap32.dll |
| c:\windows\system32\oleaut32.dll |
| c:\progra~1\micros~1\office14\mspst32.dll |
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\msasn1.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
| c:\progra~1\micros~1\office14\contab32.dll |
| c:\progra~1\micros~1\office14\omsxp32.dll |
| c:\windows\system32\crypt32.dll |
| c:\windows\system32\urlmon.dll |
| c:\windows\system32\wininet.dll |
| c:\windows\system32\rpcrtremote.dll |
| c:\windows\system32\iertutil.dll |
| c:\windows\system32\rsaenh.dll |
| c:\windows\system32\clbcatq.dll |
- PID
- 2508
- CMD
- --a4023668
- Path
- C:\ProgramData\u2hHiGPxmyt8ST0S5rk.exe
- Indicators
- Parent process
- u2hHiGPxmyt8ST0S5rk.exe
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 0
- Version:
- Company
- Description
- Version
Modules
| Image |
|---|
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\lpk.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\rsaenh.dll |
| c:\programdata\u2hhigpxmyt8st0s5rk.exe |
| c:\windows\system32\userenv.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\comdlg32.dll |
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\shell32.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\cryptbase.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\system32\winspool.drv |
| c:\windows\system32\crypt32.dll |
| c:\windows\system32\msvcrt.dll |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\system32\profapi.dll |
| c:\windows\system32\msasn1.dll |
| c:\users\admin\appdata\local\serialfun |
| c:\windows\system32\setupapi.dll |
| c:\windows\system32\propsys.dll |
| c:\windows\system32\oleaut32.dll |
| c:\windows\system32\ole32.dll |
| c:\windows\system32\clbcatq.dll |
| c:\windows\system32\devobj.dll |
| c:\windows\system32\mssprxy.dll |
| c:\windows\system32\cfgmgr32.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
| c:\windows\system32\rpcrtremote.dll |
| c:\windows\system32\apphelp.dll |
| c:\windows\system32\wldap32.dll |
| c:\windows\system32\ntmarta.dll |
- PID
- 3124
- CMD
- "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"
- Path
- C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
- Indicators
- No indicators
- Parent process
- u2hHiGPxmyt8ST0S5rk.exe
- User
- admin
- Integrity Level
- MEDIUM
- Exit code
- 0
- Version:
- Company
- Description
- Version
Modules
| Image |
|---|
| c:\windows\system32\shlwapi.dll |
| c:\windows\system32\userenv.dll |
| c:\windows\system32\msasn1.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\comdlg32.dll |
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\cryptbase.dll |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
| c:\windows\system32\winspool.drv |
| c:\users\admin\appdata\local\serialfunc\serialfunc.exe |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\shell32.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\system32\profapi.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\system32\lpk.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\rsaenh.dll |
| c:\windows\system32\crypt32.dll |
| c:\windows\system32\apphelp.dll |
- PID
- 184
- CMD
- --d6864438
- Path
- C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
- Indicators
- Parent process
- serialfunc.exe
- User
- admin
- Integrity Level
- MEDIUM
- Version:
- Company
- Description
- Version
Modules
| Image |
|---|
| c:\windows\system32\profapi.dll |
| c:\windows\system32\kernel32.dll |
| c:\windows\system32\kernelbase.dll |
| c:\windows\system32\sechost.dll |
| c:\windows\system32\usp10.dll |
| c:\windows\system32\user32.dll |
| c:\windows\system32\msvcrt.dll |
| c:\windows\system32\userenv.dll |
| c:\windows\system32\shell32.dll |
| c:\windows\system32\msctf.dll |
| c:\windows\system32\advapi32.dll |
| c:\windows\system32\winspool.drv |
| c:\windows\system32\rsaenh.dll |
| c:\windows\system32\rpcrt4.dll |
| c:\windows\system32\sspicli.dll |
| c:\windows\system32\crypt32.dll |
| c:\systemroot\system32\ntdll.dll |
| c:\windows\system32\gdi32.dll |
| c:\windows\system32\shlwapi.dll |
| c:\windows\system32\imm32.dll |
| c:\windows\system32\msasn1.dll |
| c:\windows\system32\comdlg32.dll |
| c:\windows\system32\cryptsp.dll |
| c:\windows\system32\cryptbase.dll |
| c:\users\admin\appdata\local\serialfunc\serialfunc.exe |
| c:\windows\system32\lpk.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll |
| c:\windows\system32\ole32.dll |
| c:\windows\system32\wininet.dll |
| c:\windows\system32\iertutil.dll |
| c:\windows\system32\wtsapi32.dll |
| c:\windows\system32\urlmon.dll |
| c:\windows\system32\oleaut32.dll |
| c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll |
| c:\windows\system32\winnsi.dll |
| c:\windows\system32\dnsapi.dll |
| c:\windows\system32\rasadhlp.dll |
| c:\windows\system32\wshtcpip.dll |
| c:\windows\system32\nsi.dll |
| c:\windows\system32\ws2_32.dll |
| c:\windows\system32\ntmarta.dll |
| c:\windows\system32\normaliz.dll |
| c:\windows\system32\rasman.dll |
| c:\windows\system32\iphlpapi.dll |
| c:\windows\system32\sensapi.dll |
| c:\windows\system32\nlaapi.dll |
| c:\windows\system32\rtutils.dll |
| c:\windows\system32\wldap32.dll |
| c:\windows\system32\wshqos.dll |
| c:\windows\system32\rasapi32.dll |
| c:\windows\system32\mswsock.dll |
| c:\windows\system32\wship6.dll |
Registry activity
Total events
434
Read events
346
Write events
88
Delete events
0
Modification events
PID
Process
Operation
Key
Name
Value
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32
EnableFileTracing
0
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32
EnableConsoleTracing
0
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32
FileTracingMask
4294901760
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32
ConsoleTracingMask
4294901760
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32
MaxFileSize
1048576
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32
FileDirectory
%windir%\tracing
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS
EnableFileTracing
0
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS
EnableConsoleTracing
0
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS
FileTracingMask
4294901760
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS
ConsoleTracingMask
4294901760
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS
MaxFileSize
1048576
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS
FileDirectory
%windir%\tracing
2056
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2056
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2056
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
serialfunc
"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
Off
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
Off
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
Off
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
Off
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
Off
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
Off
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
Off
1932
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1333919924
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
UISnapshot
1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
UIFallback
1040;0;1033;1046;1036;1031;1041;1049;3082;1042;1055
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
HelpFallback
0;1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
4C07000000000000
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
C:\Users\admin\Documents\Outlook Files\Outlook.pst
D012000000000000
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
C:\Users\admin\Documents\Outlook Files\[email protected]
6403000000000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
Off
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
Off
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
Off
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
Off
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
Off
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
Off
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
Off
1096
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1333919924
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
UISnapshot
1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
UIFallback
1040;0;1033;1046;1036;1031;1041;1049;3082;1042;1055
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
HelpFallback
0;1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676
LastChangeVer
1200000000000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
4C07000000000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
clsid
{ED475411-B0D6-11D2-8C3B-00104B2A6676}
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Mini UID
224868084
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Delivery Store EntryID
0000000038A1BB1005E5101AA1BB08002B2A56C200006D737073742E646C6C00000000004E495441F9BFB80100AA0037D96E0000000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F00630075006D0065006E00740073005C004F00750074006C006F006F006B002000460069006C00650073005C0068006F006E0065007900400070006F0074002E0063006F006D002E007000730074000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Delivery Folder EntryID
000000008120A19F92063E4E9CC774D948BA3E6682800000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Preferences UID
418ABE3735B01848A858B97DEDA4F045
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Account Name
68006F006E0065007900400070006F0074002E0063006F006D000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Display Name
48006F006E006500790050006F00740020004D00610069006C000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Email
68006F006E0065007900400070006F0074002E0063006F006D000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
POP3 Server
3100390032002E003100360038002E0031002E0031000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
SMTP Server
3100390032002E003100360038002E0031002E0031000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
POP3 User
68006F006E0065007900400070006F0074002E0063006F006D000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
POP3 Password
0201000000D08C9DDF0115D1118C7A00C04FC297EB01000000238F3B756708444DB8EF4E01FB67F2FE000000001C00000050004F00500033002000500061007300730077006F007200640000001066000000010000200000006E7FBD6293AECF38385B3F97AB4180173199741FB9C4A1AA7BBE2589D5C6DFD8000000000E8000000002000020000000F57A36E5105033C80292D6D9BC36E2769DAE970844C10A631D513DE746328E8320000000AD6C7414E6EFF091C62EF371F28A55EF33708DDB5D7C94D581D078EE707AB47D400000004837B4DC6AA8A67FD35C3B5EA29BEC49DBC01BC07523C8621DD0619C3EFCD2C4BDAF367E51A301CC22BB2FE2D85FC97F7ED641DC0F93B71BECEC967E7DE661CF
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
SMTP Secure Connection
0
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Leave on Server
917507
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
LastChangeVer
3300000000000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\418abe3735b01848a858b97deda4f045
001f3001
4100630063007400530065007400740069006E006700730030003000300036000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
C:\Users\admin\Documents\Outlook Files\Outlook.pst
D012000000000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
C:\Users\admin\Documents\Outlook Files\[email protected]
6403000000000000
184
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
184
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000093000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
184
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
serialfunc
"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"
Files activity
Executable files
3
Suspicious files
1
Text files
0
Unknown types
3
Dropped files
PID
Process
Filename
Type
2508
u2hHiGPxmyt8ST0S5rk.exe
C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
executable
MD5:
c882de666f59cdeff7c0f5611d18fa3f
SHA256:
2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe
2056
serialfunc.exe
C:\ProgramData\u2hHiGPxmyt8ST0S5rk.exe
executable
MD5:
c882de666f59cdeff7c0f5611d18fa3f
SHA256:
2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe
3384
jiazt.exe
C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
executable
MD5:
150c830e94d8ea723b7620ff20c47337
SHA256:
703f3a385d5dfde1b277ddc8745cd0b854f4bbd2d3bf4d9ec1aca1aa84ae352b
1096
serialfunc.exe
C:\Users\admin\AppData\Local\Temp\6C1E.tmp
binary
MD5:
913940e959b3101efd43b1ede527f17c
SHA256:
b79746a5c6be28a286bac68d395590db6607e4039a14e84b2f102fbd5e2fa7b8
1932
serialfunc.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
pst
MD5:
4003182a8771f9c657f36c9b53919eec
SHA256:
a9444565d26b26b8cb533846b7ccb3f616d2e1caff1ce0cb348046c238543b07
1932
serialfunc.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst
pst
MD5:
b8f6690a5c3ab890774e7cabf4d75094
SHA256:
82042ec4e11fffbf1b0b5e6721afce8ac960267b2061c1ca2b30ebc2e58f4d17
1096
serialfunc.exe
C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp
––
MD5:
––
SHA256:
––
1932
serialfunc.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
pst
MD5:
2a7c80e137009b6a43da7d8472dc1414
SHA256:
70071a4e4896876e4e112717ce1526b568b06c20180bc7ea24959ee3da9454e6
1096
serialfunc.exe
C:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmp
––
MD5:
––
SHA256:
––
Network activity
HTTP(S) requests
15
TCP/UDP connections
11
DNS requests
0
Threats
27
HTTP requests
| PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
| 2056 | serialfunc.exe | POST | –– | 212.186.191.177:80 | http://212.186.191.177/P7uonWO4H | AT |
image
––
|
––
|
malicious |
| 2056 | serialfunc.exe | POST | 200 | 91.242.138.5:80 | http://91.242.138.5/iP9QFNHepQbzGeVCkU | ES |
text
binary
|
|
malicious |
| 2056 | serialfunc.exe | POST | 200 | 91.242.138.5:80 | http://91.242.138.5/h7uQ9S1iDSAFneEDa | ES |
text
binary
|
|
malicious |
| 2056 | serialfunc.exe | POST | 200 | 37.157.195.120:7080 | http://37.157.195.120:7080/h7uQ9S1iDSAFneEDa | CZ |
text
binary
|
|
malicious |
| 2056 | serialfunc.exe | POST | –– | 37.157.195.120:7080 | http://37.157.195.120:7080/VCv2iiejsVz | CZ |
text
––
|
––
|
malicious |
| 184 | serialfunc.exe | POST | –– | 212.186.191.177:80 | http://212.186.191.177/SutDnL5jV1 | AT |
text
––
|
––
|
malicious |
| 184 | serialfunc.exe | POST | 200 | 91.242.138.5:80 | http://91.242.138.5/eTEOp6Shioe1QxAWaIs | ES |
text
binary
|
|
malicious |
| 184 | serialfunc.exe | POST | 200 | 91.242.138.5:80 | http://91.242.138.5/RYkpFN6qk2DfUCxy | ES |
text
binary
|
|
malicious |
| 184 | serialfunc.exe | POST | –– | 37.157.195.120:7080 | http://37.157.195.120:7080/RYkpFN6qk2DfUCxy | CZ |
text
––
|
––
|
malicious |
| 184 | serialfunc.exe | POST | –– | 192.241.131.79:8080 | http://192.241.131.79:8080/DLCctGAr2 | US |
text
––
|
––
|
malicious |
| 184 | serialfunc.exe | POST | 200 | 217.149.241.121:8080 | http://217.149.241.121:8080/tgHisYnG2Qzz4 | PL |
text
binary
|
|
malicious |
| 184 | serialfunc.exe | POST | –– | 217.149.241.121:8080 | http://217.149.241.121:8080/zBqGcHT | PL |
text
––
|
––
|
malicious |
| 184 | serialfunc.exe | POST | –– | 37.157.195.120:7080 | http://37.157.195.120:7080/tl8JOvKiX9Y7gXG8w | CZ |
text
––
|
––
|
malicious |
| 184 | serialfunc.exe | POST | –– | 192.241.131.79:8080 | http://192.241.131.79:8080/fKS2eyiZX | US |
text
––
|
––
|
malicious |
| 184 | serialfunc.exe | POST | –– | 217.149.241.121:8080 | http://217.149.241.121:8080/wAXHVPqMgc83WJXjt7 | PL |
text
––
|
––
|
malicious |
Connections
| PID | Process | IP | ASN | CN | Reputation |
|---|---|---|---|---|---|
| 2056 | serialfunc.exe | 212.186.191.177:80 | Liberty Global Operations B.V. | AT | malicious |
| 2056 | serialfunc.exe | 91.242.138.5:80 | Visovision S.l. | ES | malicious |
| 2056 | serialfunc.exe | 37.157.195.120:7080 | WEDOS Internet, a.s. | CZ | malicious |
| 184 | serialfunc.exe | 212.186.191.177:80 | Liberty Global Operations B.V. | AT | malicious |
| 184 | serialfunc.exe | 91.242.138.5:80 | Visovision S.l. | ES | malicious |
| 184 | serialfunc.exe | 37.157.195.120:7080 | WEDOS Internet, a.s. | CZ | malicious |
| 184 | serialfunc.exe | 192.241.131.79:8080 | Digital Ocean, Inc. | US | malicious |
| 184 | serialfunc.exe | 217.149.241.121:8080 | ATM S.A. | PL | malicious |
Threats
| PID | Process | Class | Message |
|---|---|---|---|
| 2056 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
| 2056 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
| 2056 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
| 2056 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
| 2056 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
| 2056 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
| 2056 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
| 2056 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
| 184 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
| 184 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
| 184 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
| 184 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
| 184 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
| 184 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
| 2056 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
| 2056 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
| 2056 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
| 184 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
| 184 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M5 |
| 184 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
| 184 | serialfunc.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet CnC Activity (POST) M6 |
| 184 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
| 184 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
| 184 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
| 184 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
| 184 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
| 184 | serialfunc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Feodo/Emotet |
Debug output strings
No debug info.