General Info

File name

jiazt

Full analysis
https://app.any.run/tasks/c255332e-90d5-4c1f-99a9-e2c0025e2b01
Verdict
Malicious activity
Threats:

Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.

Analysis date
12/2/2019, 22:40:56
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

emotet

banker

trojan

stealer

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

150c830e94d8ea723b7620ff20c47337

SHA1

19c6fc075f1788c679dd55317302e2b264795763

SHA256

703f3a385d5dfde1b277ddc8745cd0b854f4bbd2d3bf4d9ec1aca1aa84ae352b

SSDEEP

6144:imtSfyuhgWlFcDGIrtHLkij3V4bSW6KRLPkWvtb:BSqORctrkiDV4o6Lb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
EMOTET was detected
  • serialfunc.exe (PID: 2056)
  • serialfunc.exe (PID: 184)
Emotet process was detected
  • jiazt.exe (PID: 3384)
  • u2hHiGPxmyt8ST0S5rk.exe (PID: 2508)
Changes the autorun value in the registry
  • serialfunc.exe (PID: 2056)
  • serialfunc.exe (PID: 184)
Connects to CnC server
  • serialfunc.exe (PID: 2056)
  • serialfunc.exe (PID: 184)
Stealing of credential data
  • serialfunc.exe (PID: 1096)
Application launched itself
  • jiazt.exe (PID: 1212)
  • serialfunc.exe (PID: 2160)
  • serialfunc.exe (PID: 2056)
  • u2hHiGPxmyt8ST0S5rk.exe (PID: 792)
  • serialfunc.exe (PID: 3124)
Starts itself from another location
  • jiazt.exe (PID: 3384)
  • serialfunc.exe (PID: 2056)
  • u2hHiGPxmyt8ST0S5rk.exe (PID: 2508)
Connects to unusual port
  • serialfunc.exe (PID: 2056)
  • serialfunc.exe (PID: 184)
Creates files in the program directory
  • serialfunc.exe (PID: 2056)
Executable content was dropped or overwritten
  • serialfunc.exe (PID: 2056)
  • jiazt.exe (PID: 3384)
  • u2hHiGPxmyt8ST0S5rk.exe (PID: 2508)
Connects to server without host name
  • serialfunc.exe (PID: 2056)
  • serialfunc.exe (PID: 184)
Reads Microsoft Office registry keys
  • serialfunc.exe (PID: 1932)
  • serialfunc.exe (PID: 1096)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (35.8%)
.exe
|   Win64 Executable (generic) (31.7%)
.scr
|   Windows screen saver (15%)
.dll
|   Win32 Dynamic Link Library (generic) (7.5%)
.exe
|   Win32 Executable (generic) (5.1%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:12:02 21:19:01+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
335872
InitializedDataSize:
262144
UninitializedDataSize:
null
EntryPoint:
0x52b8
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
02-Dec-2019 20:19:01
Detected languages
English - United States
Debug artifacts
\User\Desktop\Visual 6.0\VerySource.com_7786bc849ebf149a2aaf8801acd3fa75b1476ac3-4225451\MFC_Bible\Code\DlgSmpl\WinRel\DlgSmpl.pdb
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000E8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
6
Time date stamp:
02-Dec-2019 20:19:01
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x000513DC 0x00052000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 5.33887
.rdata 0x00053000 0x0000E58F 0x0000F000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 3.50595
.data 0x00062000 0x0001BE48 0x00018000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 6.75094
.idata 0x0007E000 0x0000339D 0x00004000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.36141
.rsrc 0x00082000 0x00009363 0x0000A000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 3.38152
.reloc 0x0008C000 0x0000663E 0x00007000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 5.74513
Resources
1

2

3

4

5

6

7

8

9

10

100

128

129

130

131

132

133

134

135

2049

3585

3601

3602

3603

3604

3605

3606

3697

3713

3825

3826

3841

3842

3843

3857

3858

3859

3865

3866

3867

3868

3869

26567

30721

30977

30994

30995

30996

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    comdlg32.dll

    WINSPOOL.DRV

    ADVAPI32.dll

    SHELL32.dll

    COMCTL32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
43
Monitored processes
10
Malicious processes
8
Suspicious processes
0

Behavior graph

+
start drop and start jiazt.exe no specs #EMOTET jiazt.exe serialfunc.exe no specs #EMOTET serialfunc.exe u2hhigpxmyt8st0s5rk.exe no specs serialfunc.exe no specs serialfunc.exe #EMOTET u2hhigpxmyt8st0s5rk.exe serialfunc.exe no specs #EMOTET serialfunc.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1212
CMD
"C:\Users\admin\AppData\Local\Temp\jiazt.exe"
Path
C:\Users\admin\AppData\Local\Temp\jiazt.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\jiazt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll

PID
3384
CMD
--44dd9200
Path
C:\Users\admin\AppData\Local\Temp\jiazt.exe
Indicators
Parent process
jiazt.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\jiazt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\serialfunc\ser
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll

PID
2160
CMD
"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"
Path
C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
Indicators
No indicators
Parent process
jiazt.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\serialfunc\serialfunc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll

PID
2056
CMD
--d6864438
Path
C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
Indicators
Parent process
serialfunc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\serialfunc\serialfunc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\mpr.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\apphelp.dll
c:\programdata\u2hhigpxmyt8st0s5rk.exe
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\browcli.dll

PID
792
CMD
"C:\ProgramData\u2hHiGPxmyt8ST0S5rk.exe"
Path
C:\ProgramData\u2hHiGPxmyt8ST0S5rk.exe
Indicators
No indicators
Parent process
serialfunc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\programdata\u2hhigpxmyt8st0s5rk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll

PID
1932
CMD
"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" "C:\Users\admin\AppData\Local\Temp\6BDF.tmp"
Path
C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
Indicators
No indicators
Parent process
serialfunc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\serialfunc\serialfunc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\progra~1\micros~1\office14\olmapi32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\progra~1\micros~1\office14\1033\mapir.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\progra~1\micros~1\office14\contab32.dll
c:\progra~1\micros~1\office14\omsxp32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\progra~1\micros~1\office14\mspst32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
1096
CMD
"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" "C:\Users\admin\AppData\Local\Temp\6C1E.tmp"
Path
C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
Indicators
Parent process
serialfunc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\serialfunc\serialfunc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\progra~1\micros~1\office14\olmapi32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\progra~1\micros~1\office14\1033\mapir.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\progra~1\micros~1\office14\contab32.dll
c:\progra~1\micros~1\office14\omsxp32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\progra~1\micros~1\office14\mspst32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
2508
CMD
--a4023668
Path
C:\ProgramData\u2hHiGPxmyt8ST0S5rk.exe
Indicators
Parent process
u2hHiGPxmyt8ST0S5rk.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\programdata\u2hhigpxmyt8st0s5rk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\serialfun
c:\windows\system32\mssprxy.dll

PID
3124
CMD
"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"
Path
C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
Indicators
No indicators
Parent process
u2hHiGPxmyt8ST0S5rk.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\serialfunc\serialfunc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll

PID
184
CMD
--d6864438
Path
C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
Indicators
Parent process
serialfunc.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\serialfunc\serialfunc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

Registry activity

Total events
434
Read events
346
Write events
88
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32
EnableFileTracing
0
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32
EnableConsoleTracing
0
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32
FileTracingMask
4294901760
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32
ConsoleTracingMask
4294901760
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32
MaxFileSize
1048576
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32
FileDirectory
%windir%\tracing
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS
EnableFileTracing
0
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS
EnableConsoleTracing
0
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS
FileTracingMask
4294901760
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS
ConsoleTracingMask
4294901760
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS
MaxFileSize
1048576
2056
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS
FileDirectory
%windir%\tracing
2056
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2056
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2056
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
serialfunc
"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
Off
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
Off
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
Off
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
Off
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
Off
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
Off
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
Off
1932
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1333919924
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
UISnapshot
1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
UIFallback
1040;0;1033;1046;1036;1031;1041;1049;3082;1042;1055
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
HelpFallback
0;1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
On
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
4C07000000000000
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
C:\Users\admin\Documents\Outlook Files\Outlook.pst
D012000000000000
1932
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
C:\Users\admin\Documents\Outlook Files\[email protected]
6403000000000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
Off
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
Off
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
Off
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
Off
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
Off
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
Off
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
Off
1096
serialfunc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1333919924
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
UISnapshot
1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
UIFallback
1040;0;1033;1046;1036;1031;1041;1049;3082;1042;1055
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
HelpFallback
0;1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
On
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676
LastChangeVer
1200000000000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
4C07000000000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
clsid
{ED475411-B0D6-11D2-8C3B-00104B2A6676}
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Mini UID
224868084
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Delivery Store EntryID
0000000038A1BB1005E5101AA1BB08002B2A56C200006D737073742E646C6C00000000004E495441F9BFB80100AA0037D96E0000000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F00630075006D0065006E00740073005C004F00750074006C006F006F006B002000460069006C00650073005C0068006F006E0065007900400070006F0074002E0063006F006D002E007000730074000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Delivery Folder EntryID
000000008120A19F92063E4E9CC774D948BA3E6682800000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Preferences UID
418ABE3735B01848A858B97DEDA4F045
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Account Name
68006F006E0065007900400070006F0074002E0063006F006D000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Display Name
48006F006E006500790050006F00740020004D00610069006C000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Email
68006F006E0065007900400070006F0074002E0063006F006D000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
POP3 Server
3100390032002E003100360038002E0031002E0031000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
SMTP Server
3100390032002E003100360038002E0031002E0031000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
POP3 User
68006F006E0065007900400070006F0074002E0063006F006D000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
POP3 Password
0201000000D08C9DDF0115D1118C7A00C04FC297EB01000000238F3B756708444DB8EF4E01FB67F2FE000000001C00000050004F00500033002000500061007300730077006F007200640000001066000000010000200000006E7FBD6293AECF38385B3F97AB4180173199741FB9C4A1AA7BBE2589D5C6DFD8000000000E8000000002000020000000F57A36E5105033C80292D6D9BC36E2769DAE970844C10A631D513DE746328E8320000000AD6C7414E6EFF091C62EF371F28A55EF33708DDB5D7C94D581D078EE707AB47D400000004837B4DC6AA8A67FD35C3B5EA29BEC49DBC01BC07523C8621DD0619C3EFCD2C4BDAF367E51A301CC22BB2FE2D85FC97F7ED641DC0F93B71BECEC967E7DE661CF
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
SMTP Secure Connection
0
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006
Leave on Server
917507
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
LastChangeVer
3300000000000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\418abe3735b01848a858b97deda4f045
001f3001
4100630063007400530065007400740069006E006700730030003000300036000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
C:\Users\admin\Documents\Outlook Files\Outlook.pst
D012000000000000
1096
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
C:\Users\admin\Documents\Outlook Files\[email protected]
6403000000000000
184
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
184
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000093000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
184
serialfunc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
serialfunc
"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"

Files activity

Executable files
3
Suspicious files
1
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
2508
u2hHiGPxmyt8ST0S5rk.exe
C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
executable
MD5: c882de666f59cdeff7c0f5611d18fa3f
SHA256: 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe
2056
serialfunc.exe
C:\ProgramData\u2hHiGPxmyt8ST0S5rk.exe
executable
MD5: c882de666f59cdeff7c0f5611d18fa3f
SHA256: 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe
3384
jiazt.exe
C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe
executable
MD5: 150c830e94d8ea723b7620ff20c47337
SHA256: 703f3a385d5dfde1b277ddc8745cd0b854f4bbd2d3bf4d9ec1aca1aa84ae352b
1096
serialfunc.exe
C:\Users\admin\AppData\Local\Temp\6C1E.tmp
binary
MD5: 913940e959b3101efd43b1ede527f17c
SHA256: b79746a5c6be28a286bac68d395590db6607e4039a14e84b2f102fbd5e2fa7b8
1932
serialfunc.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
pst
MD5: 4003182a8771f9c657f36c9b53919eec
SHA256: a9444565d26b26b8cb533846b7ccb3f616d2e1caff1ce0cb348046c238543b07
1932
serialfunc.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst
pst
MD5: b8f6690a5c3ab890774e7cabf4d75094
SHA256: 82042ec4e11fffbf1b0b5e6721afce8ac960267b2061c1ca2b30ebc2e58f4d17
1096
serialfunc.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
––
MD5:  ––
SHA256:  ––
1096
serialfunc.exe
C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp
––
MD5:  ––
SHA256:  ––
1932
serialfunc.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
pst
MD5: 2a7c80e137009b6a43da7d8472dc1414
SHA256: 70071a4e4896876e4e112717ce1526b568b06c20180bc7ea24959ee3da9454e6
1096
serialfunc.exe
C:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
15
TCP/UDP connections
11
DNS requests
0
Threats
27

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2056 serialfunc.exe POST –– 212.186.191.177:80 http://212.186.191.177/P7uonWO4H AT
image
––
––
malicious
2056 serialfunc.exe POST 200 91.242.138.5:80 http://91.242.138.5/iP9QFNHepQbzGeVCkU ES
text
binary
malicious
2056 serialfunc.exe POST 200 91.242.138.5:80 http://91.242.138.5/h7uQ9S1iDSAFneEDa ES
text
binary
malicious
2056 serialfunc.exe POST 200 37.157.195.120:7080 http://37.157.195.120:7080/h7uQ9S1iDSAFneEDa CZ
text
binary
malicious
2056 serialfunc.exe POST –– 37.157.195.120:7080 http://37.157.195.120:7080/VCv2iiejsVz CZ
text
––
––
malicious
184 serialfunc.exe POST –– 212.186.191.177:80 http://212.186.191.177/SutDnL5jV1 AT
text
––
––
malicious
184 serialfunc.exe POST 200 91.242.138.5:80 http://91.242.138.5/eTEOp6Shioe1QxAWaIs ES
text
binary
malicious
184 serialfunc.exe POST 200 91.242.138.5:80 http://91.242.138.5/RYkpFN6qk2DfUCxy ES
text
binary
malicious
184 serialfunc.exe POST –– 37.157.195.120:7080 http://37.157.195.120:7080/RYkpFN6qk2DfUCxy CZ
text
––
––
malicious
184 serialfunc.exe POST –– 192.241.131.79:8080 http://192.241.131.79:8080/DLCctGAr2 US
text
––
––
malicious
184 serialfunc.exe POST 200 217.149.241.121:8080 http://217.149.241.121:8080/tgHisYnG2Qzz4 PL
text
binary
malicious
184 serialfunc.exe POST –– 217.149.241.121:8080 http://217.149.241.121:8080/zBqGcHT PL
text
––
––
malicious
184 serialfunc.exe POST –– 37.157.195.120:7080 http://37.157.195.120:7080/tl8JOvKiX9Y7gXG8w CZ
text
––
––
malicious
184 serialfunc.exe POST –– 192.241.131.79:8080 http://192.241.131.79:8080/fKS2eyiZX US
text
––
––
malicious
184 serialfunc.exe POST –– 217.149.241.121:8080 http://217.149.241.121:8080/wAXHVPqMgc83WJXjt7 PL
text
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2056 serialfunc.exe 212.186.191.177:80 Liberty Global Operations B.V. AT malicious
2056 serialfunc.exe 91.242.138.5:80 Visovision S.l. ES malicious
2056 serialfunc.exe 37.157.195.120:7080 WEDOS Internet, a.s. CZ malicious
184 serialfunc.exe 212.186.191.177:80 Liberty Global Operations B.V. AT malicious
184 serialfunc.exe 91.242.138.5:80 Visovision S.l. ES malicious
184 serialfunc.exe 37.157.195.120:7080 WEDOS Internet, a.s. CZ malicious
184 serialfunc.exe 192.241.131.79:8080 Digital Ocean, Inc. US malicious
184 serialfunc.exe 217.149.241.121:8080 ATM S.A. PL malicious

DNS requests

No DNS requests.

Threats

PID Process Class Message
2056 serialfunc.exe A Network Trojan was detected ET TROJAN Win32/Emotet CnC Activity (POST) M5
2056 serialfunc.exe A Network Trojan was detected ET TROJAN Win32/Emotet CnC Activity (POST) M6
2056 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2056 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2056 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2056 serialfunc.exe A Network Trojan was detected ET TROJAN Win32/Emotet CnC Activity (POST) M5
2056 serialfunc.exe A Network Trojan was detected ET TROJAN Win32/Emotet CnC Activity (POST) M6
2056 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
184 serialfunc.exe A Network Trojan was detected ET TROJAN Win32/Emotet CnC Activity (POST) M5
184 serialfunc.exe A Network Trojan was detected ET TROJAN Win32/Emotet CnC Activity (POST) M6
184 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
184 serialfunc.exe A Network Trojan was detected ET TROJAN Win32/Emotet CnC Activity (POST) M5
184 serialfunc.exe A Network Trojan was detected ET TROJAN Win32/Emotet CnC Activity (POST) M6
184 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
2056 serialfunc.exe A Network Trojan was detected ET TROJAN Win32/Emotet CnC Activity (POST) M5
2056 serialfunc.exe A Network Trojan was detected ET TROJAN Win32/Emotet CnC Activity (POST) M6
2056 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
184 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
184 serialfunc.exe A Network Trojan was detected ET TROJAN Win32/Emotet CnC Activity (POST) M5
184 serialfunc.exe A Network Trojan was detected ET TROJAN Win32/Emotet CnC Activity (POST) M6
184 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
184 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
184 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
184 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
184 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
184 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet
184 serialfunc.exe A Network Trojan was detected MALWARE [PTsecurity] Feodo/Emotet

Debug output strings

No debug info.