703f3a385d5dfde1b277ddc8745cd0b854f4bbd2d3bf4d9ec1aca1aa84ae352b

General Info

File name: jiazt

Full analysis: https://app.any.run/tasks/c255332e-90d5-4c1f-99a9-e2c0025e2b01

Verdict: Malicious activity

Threats:

emotet

Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.

Malware Trends Tracker

More details

Analysis date: 12/2/2019, 22:40:56

OS:: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)

Tags:: emotet

banker

trojan

stealer

Indicators:

MIME:: application/x-dosexec

File info:: PE32 executable (GUI) Intel 80386, for MS Windows

MD5: 150c830e94d8ea723b7620ff20c47337

SHA1: 19c6fc075f1788c679dd55317302e2b264795763

SHA256: 703f3a385d5dfde1b277ddc8745cd0b854f4bbd2d3bf4d9ec1aca1aa84ae352b

SSDEEP: 6144:imtSfyuhgWlFcDGIrtHLkij3V4bSW6KRLPkWvtb:BSqORctrkiDV4o6Lb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration: 300 seconds

Additional time used: 240 seconds

Fakenet option: off

Heavy Evaision option: off

MITM proxy: off

Route via Tor: off

Network geolocation: off

Privacy: Public submission

Autoconfirmation of UAC: on

Software preset

Internet Explorer 8.0.7601.17514
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Behavior activities

MALICIOUS	SUSPICIOUS	INFO
EMOTET was detected serialfunc.exe (PID: 2056) serialfunc.exe (PID: 184) Emotet process was detected jiazt.exe (PID: 3384) u2hHiGPxmyt8ST0S5rk.exe (PID: 2508) Changes the autorun value in the registry serialfunc.exe (PID: 2056) serialfunc.exe (PID: 184) Connects to CnC server serialfunc.exe (PID: 2056) serialfunc.exe (PID: 184) Stealing of credential data serialfunc.exe (PID: 1096)	Application launched itself jiazt.exe (PID: 1212) serialfunc.exe (PID: 2160) serialfunc.exe (PID: 2056) u2hHiGPxmyt8ST0S5rk.exe (PID: 792) serialfunc.exe (PID: 3124) Starts itself from another location jiazt.exe (PID: 3384) serialfunc.exe (PID: 2056) u2hHiGPxmyt8ST0S5rk.exe (PID: 2508) Connects to unusual port serialfunc.exe (PID: 2056) serialfunc.exe (PID: 184) Creates files in the program directory serialfunc.exe (PID: 2056) Executable content was dropped or overwritten serialfunc.exe (PID: 2056) jiazt.exe (PID: 3384) u2hHiGPxmyt8ST0S5rk.exe (PID: 2508) Connects to server without host name serialfunc.exe (PID: 2056) serialfunc.exe (PID: 184)	Reads Microsoft Office registry keys serialfunc.exe (PID: 1932) serialfunc.exe (PID: 1096)

MALICIOUS

SUSPICIOUS

INFO

EMOTET was detected

serialfunc.exe (PID: 2056)
serialfunc.exe (PID: 184)

Emotet process was detected

jiazt.exe (PID: 3384)
u2hHiGPxmyt8ST0S5rk.exe (PID: 2508)

Changes the autorun value in the registry

serialfunc.exe (PID: 2056)
serialfunc.exe (PID: 184)

Connects to CnC server

serialfunc.exe (PID: 2056)
serialfunc.exe (PID: 184)

Stealing of credential data

serialfunc.exe (PID: 1096)

Application launched itself

jiazt.exe (PID: 1212)
serialfunc.exe (PID: 2160)
serialfunc.exe (PID: 2056)
u2hHiGPxmyt8ST0S5rk.exe (PID: 792)
serialfunc.exe (PID: 3124)

Starts itself from another location

jiazt.exe (PID: 3384)
serialfunc.exe (PID: 2056)
u2hHiGPxmyt8ST0S5rk.exe (PID: 2508)

Connects to unusual port

serialfunc.exe (PID: 2056)
serialfunc.exe (PID: 184)

Creates files in the program directory

serialfunc.exe (PID: 2056)

Executable content was dropped or overwritten

serialfunc.exe (PID: 2056)
jiazt.exe (PID: 3384)
u2hHiGPxmyt8ST0S5rk.exe (PID: 2508)

Connects to server without host name

serialfunc.exe (PID: 2056)
serialfunc.exe (PID: 184)

Reads Microsoft Office registry keys

serialfunc.exe (PID: 1932)
serialfunc.exe (PID: 1096)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD

.exe

| Win32 Executable MS Visual C++ (generic) (35.8%)

.exe

| Win64 Executable (generic) (31.7%)

.scr

| Windows screen saver (15%)

.dll

| Win32 Dynamic Link Library (generic) (7.5%)

.exe

| Win32 Executable (generic) (5.1%)

EXIF

MachineType:

Intel 386 or later, and compatibles

TimeStamp:

2019:12:02 21:19:01+01:00

PEType:

PE32

LinkerVersion:

CodeSize:

335872

InitializedDataSize:

262144

UninitializedDataSize:

null

EntryPoint:

0x52b8

OSVersion:

ImageVersion:

null

SubsystemVersion:

Subsystem:

Windows GUI

Summary

Architecture:

IMAGE_FILE_MACHINE_I386

Subsystem:

IMAGE_SUBSYSTEM_WINDOWS_GUI

Compilation Date:

02-Dec-2019 20:19:01

Detected languages

English - United States

Debug artifacts

\User\Desktop\Visual 6.0\VerySource.com_7786bc849ebf149a2aaf8801acd3fa75b1476ac3-4225451\MFC_Bible\Code\DlgSmpl\WinRel\DlgSmpl.pdb

DOS Header

Magic number:

Bytes on last page of file:

0x0090

Pages in file:

0x0003

Relocations:

0x0000

Size of header:

0x0004

Min extra paragraphs:

0x0000

Max extra paragraphs:

0xFFFF

Initial SS value:

0x0000

Initial SP value:

0x00B8

Checksum:

0x0000

Initial IP value:

0x0000

Initial CS value:

0x0000

Overlay number:

0x0000

OEM identifier:

0x0000

OEM information:

0x0000

Address of NE header:

0x000000E8

PE Headers

Signature:

Machine:

IMAGE_FILE_MACHINE_I386

Number of sections:

Time date stamp:

02-Dec-2019 20:19:01

Pointer to Symbol Table:

0x00000000

Number of symbols:

Size of Optional Header:

0x00E0

Characteristics

IMAGE_FILE_32BIT_MACHINE

IMAGE_FILE_EXECUTABLE_IMAGE

IMAGE_FILE_LINE_NUMS_STRIPPED

IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x000513DC	0x00052000	IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ	5.33887
.rdata	0x00053000	0x0000E58F	0x0000F000	IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ	3.50595
.data	0x00062000	0x0001BE48	0x00018000	IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE	6.75094
.idata	0x0007E000	0x0000339D	0x00004000	IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE	4.36141
.rsrc	0x00082000	0x00009363	0x0000A000	IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ	3.38152
.reloc	0x0008C000	0x0000663E	0x00007000	IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ	5.74513

Resources

100

128

129

130

131

132

133

134

135

2049

3585

3601

3602

3603

3604

3605

3606

3697

3713

3825

3826

3841

3842

3843

3857

3858

3859

3865

3866

3867

3868

3869

26567

30721

30977

30994

30995

30996

Imports

KERNEL32.dll

USER32.dll

GDI32.dll

comdlg32.dll

WINSPOOL.DRV

ADVAPI32.dll

SHELL32.dll

COMCTL32.dll

Exports

No exports.

Screenshots

Screenshot of 703f3a385d5dfde1b277ddc8745cd0b854f4bbd2d3bf4d9ec1aca1aa84ae352b taken from 25032 ms from task started

Screenshot of 703f3a385d5dfde1b277ddc8745cd0b854f4bbd2d3bf4d9ec1aca1aa84ae352b taken from 63249 ms from task started

Processes

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

–

Specs description

Program did not start

Integrity level elevation

Task сontains an error or was rebooted

Process has crashed

Task contains several apps running

Executable file was dropped

Debug information is available

Process was injected

Network attacks were detected

Application downloaded the executable file

Actions similar to stealing personal data

Behavior similar to exploiting the vulnerability

Inspected object has sucpicious PE structure

File is detected by antivirus software

CPU overrun

RAM overrun

Process starts the services

Process was added to the startup

Behavior similar to spam

Low-level access to the HDD

Probably Tor was used

System was rebooted

Connects to the network

Known threat

Process information

Click at the process to see the details.

PID: 1212

CMD: "C:\Users\admin\AppData\Local\Temp\jiazt.exe"

Path: C:\Users\admin\AppData\Local\Temp\jiazt.exe

Indicators: No indicators

Parent process: ––

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company

Description

Version

Modules

Image
c:\users\admin\appdata\local\temp\jiazt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll

PID: 3384

CMD: --44dd9200

Path: C:\Users\admin\AppData\Local\Temp\jiazt.exe

Indicators

Parent process: jiazt.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company

Description

Version

Modules

Image
c:\users\admin\appdata\local\temp\jiazt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\serialfunc\ser
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll

PID: 2160

CMD: "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"

Path: C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe

Indicators: No indicators

Parent process: jiazt.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company

Description

Version

Modules

Image
c:\users\admin\appdata\local\serialfunc\serialfunc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll

PID: 2056

CMD: --d6864438

Path: C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe

Indicators

Parent process: serialfunc.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company

Description

Version

Modules

Image
c:\users\admin\appdata\local\serialfunc\serialfunc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\mpr.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\apphelp.dll
c:\programdata\u2hhigpxmyt8st0s5rk.exe
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\browcli.dll

PID: 792

CMD: "C:\ProgramData\u2hHiGPxmyt8ST0S5rk.exe"

Path: C:\ProgramData\u2hHiGPxmyt8ST0S5rk.exe

Indicators: No indicators

Parent process: serialfunc.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company

Description

Version

Modules

Image
c:\programdata\u2hhigpxmyt8st0s5rk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll

PID: 1932

CMD: "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" "C:\Users\admin\AppData\Local\Temp\6BDF.tmp"

Path: C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe

Indicators: No indicators

Parent process: serialfunc.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company

Description

Version

Modules

Image
c:\users\admin\appdata\local\serialfunc\serialfunc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\progra~1\micros~1\office14\olmapi32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\progra~1\micros~1\office14\1033\mapir.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\progra~1\micros~1\office14\contab32.dll
c:\progra~1\micros~1\office14\omsxp32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\progra~1\micros~1\office14\mspst32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID: 1096

CMD: "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe" "C:\Users\admin\AppData\Local\Temp\6C1E.tmp"

Path: C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe

Indicators

Parent process: serialfunc.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company

Description

Version

Modules

Image
c:\users\admin\appdata\local\serialfunc\serialfunc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\progra~1\micros~1\office14\olmapi32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\progra~1\micros~1\office14\1033\mapir.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\progra~1\micros~1\office14\contab32.dll
c:\progra~1\micros~1\office14\omsxp32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\progra~1\micros~1\office14\mspst32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID: 2508

CMD: --a4023668

Path: C:\ProgramData\u2hHiGPxmyt8ST0S5rk.exe

Indicators

Parent process: u2hHiGPxmyt8ST0S5rk.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company

Description

Version

Modules

Image
c:\programdata\u2hhigpxmyt8st0s5rk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\serialfun
c:\windows\system32\mssprxy.dll

PID: 3124

CMD: "C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"

Path: C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe

Indicators: No indicators

Parent process: u2hHiGPxmyt8ST0S5rk.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company

Description

Version

Modules

Image
c:\users\admin\appdata\local\serialfunc\serialfunc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll

PID: 184

CMD: --d6864438

Path: C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe

Indicators

Parent process: serialfunc.exe

User: admin

Integrity Level: MEDIUM

Version:

Company

Description

Version

Modules

Image
c:\users\admin\appdata\local\serialfunc\serialfunc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

Registry activity

Total events

434

Read events

346

Write events

Delete events

Modification events

PID

Process

Operation

Key

Name

Value

2056

serialfunc.exe

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32

EnableFileTracing

2056

serialfunc.exe

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32

EnableConsoleTracing

2056

serialfunc.exe

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32

FileTracingMask

4294901760

2056

serialfunc.exe

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32

ConsoleTracingMask

4294901760

2056

serialfunc.exe

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32

MaxFileSize

1048576

2056

serialfunc.exe

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASAPI32

FileDirectory

%windir%\tracing

2056

serialfunc.exe

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS

EnableFileTracing

2056

serialfunc.exe

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS

EnableConsoleTracing

2056

serialfunc.exe

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS

FileTracingMask

4294901760

2056

serialfunc.exe

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS

ConsoleTracingMask

4294901760

2056

serialfunc.exe

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS

MaxFileSize

1048576

2056

serialfunc.exe

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\serialfunc_RASMANCS

FileDirectory

%windir%\tracing

2056

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

ProxyEnable

2056

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000

2056

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

serialfunc

"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

Off

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1041

Off

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1046

Off

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1036

Off

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1031

Off

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1040

Off

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1049

Off

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

3082

Off

1932

serialfunc.exe

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage

ProductFiles

1333919924

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources

UISnapshot

1033;1046;1036;1031;1040;1041;1049;3082;1042;1055

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources

UIFallback

1040;0;1033;1046;1036;1031;1041;1049;3082;1042;1055

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources

HelpFallback

0;1033;1046;1036;1031;1040;1041;1049;3082;1042;1055

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1046

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1036

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1031

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1040

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1041

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1049

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

3082

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1042

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1055

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog

C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst

4C07000000000000

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog

C:\Users\admin\Documents\Outlook Files\Outlook.pst

D012000000000000

1932

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog

C:\Users\admin\Documents\Outlook Files\[email protected]

6403000000000000

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

Off

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1041

Off

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1046

Off

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1036

Off

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1031

Off

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1040

Off

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1049

Off

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

3082

Off

1096

serialfunc.exe

write

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage

ProductFiles

1333919924

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources

UISnapshot

1033;1046;1036;1031;1040;1041;1049;3082;1042;1055

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources

UIFallback

1040;0;1033;1046;1036;1031;1041;1049;3082;1042;1055

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources

HelpFallback

0;1033;1046;1036;1031;1040;1041;1049;3082;1042;1055

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1033

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1046

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1036

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1031

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1040

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1041

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1049

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

3082

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1042

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages

1055

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\NoMail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

1200000000000000

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog

C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst

4C07000000000000

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006

clsid

{ED475411-B0D6-11D2-8C3B-00104B2A6676}

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006

Mini UID

224868084

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006

Delivery Store EntryID

0000000038A1BB1005E5101AA1BB08002B2A56C200006D737073742E646C6C00000000004E495441F9BFB80100AA0037D96E0000000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F00630075006D0065006E00740073005C004F00750074006C006F006F006B002000460069006C00650073005C0068006F006E0065007900400070006F0074002E0063006F006D002E007000730074000000

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006

Delivery Folder EntryID

000000008120A19F92063E4E9CC774D948BA3E6682800000

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006

Preferences UID

418ABE3735B01848A858B97DEDA4F045

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006

Account Name

68006F006E0065007900400070006F0074002E0063006F006D000000

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006

Display Name

48006F006E006500790050006F00740020004D00610069006C000000

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006

68006F006E0065007900400070006F0074002E0063006F006D000000

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006

POP3 Server

3100390032002E003100360038002E0031002E0031000000

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006

SMTP Server

3100390032002E003100360038002E0031002E0031000000

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006

POP3 User

68006F006E0065007900400070006F0074002E0063006F006D000000

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006

POP3 Password

0201000000D08C9DDF0115D1118C7A00C04FC297EB01000000238F3B756708444DB8EF4E01FB67F2FE000000001C00000050004F00500033002000500061007300730077006F007200640000001066000000010000200000006E7FBD6293AECF38385B3F97AB4180173199741FB9C4A1AA7BBE2589D5C6DFD8000000000E8000000002000020000000F57A36E5105033C80292D6D9BC36E2769DAE970844C10A631D513DE746328E8320000000AD6C7414E6EFF091C62EF371F28A55EF33708DDB5D7C94D581D078EE707AB47D400000004837B4DC6AA8A67FD35C3B5EA29BEC49DBC01BC07523C8621DD0619C3EFCD2C4BDAF367E51A301CC22BB2FE2D85FC97F7ED641DC0F93B71BECEC967E7DE661CF

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006

SMTP Secure Connection

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000006

Leave on Server

917507

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

3300000000000000

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\418abe3735b01848a858b97deda4f045

001f3001

4100630063007400530065007400740069006E006700730030003000300036000000

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog

C:\Users\admin\Documents\Outlook Files\Outlook.pst

D012000000000000

1096

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog

C:\Users\admin\Documents\Outlook Files\[email protected]

6403000000000000

184

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

ProxyEnable

184

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

SavedLegacySettings

4600000093000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000

184

serialfunc.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

serialfunc

"C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe"

Files activity

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID

Process

Filename

Type

2508

u2hHiGPxmyt8ST0S5rk.exe

C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe

executable

MD5: c882de666f59cdeff7c0f5611d18fa3f

SHA256: 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe

2056

serialfunc.exe

C:\ProgramData\u2hHiGPxmyt8ST0S5rk.exe

executable

MD5: c882de666f59cdeff7c0f5611d18fa3f

SHA256: 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe

3384

jiazt.exe

C:\Users\admin\AppData\Local\serialfunc\serialfunc.exe

executable

MD5: 150c830e94d8ea723b7620ff20c47337

SHA256: 703f3a385d5dfde1b277ddc8745cd0b854f4bbd2d3bf4d9ec1aca1aa84ae352b

1096

serialfunc.exe

C:\Users\admin\AppData\Local\Temp\6C1E.tmp

binary

MD5: 913940e959b3101efd43b1ede527f17c

SHA256: b79746a5c6be28a286bac68d395590db6607e4039a14e84b2f102fbd5e2fa7b8

1932

serialfunc.exe

C:\Users\admin\Documents\Outlook Files\[email protected]

pst

MD5: 4003182a8771f9c657f36c9b53919eec

SHA256: a9444565d26b26b8cb533846b7ccb3f616d2e1caff1ce0cb348046c238543b07

1932

serialfunc.exe

C:\Users\admin\Documents\Outlook Files\Outlook.pst

pst

MD5: b8f6690a5c3ab890774e7cabf4d75094

SHA256: 82042ec4e11fffbf1b0b5e6721afce8ac960267b2061c1ca2b30ebc2e58f4d17

1096

serialfunc.exe

C:\Users\admin\Documents\Outlook Files\[email protected]

––

MD5: ––

SHA256: ––

1096

serialfunc.exe

C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp

––

MD5: ––

SHA256: ––

1932

serialfunc.exe

C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst

pst

MD5: 2a7c80e137009b6a43da7d8472dc1414

SHA256: 70071a4e4896876e4e112717ce1526b568b06c20180bc7ea24959ee3da9454e6

1096

serialfunc.exe

C:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmp

––

MD5: ––

SHA256: ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2056	serialfunc.exe	POST	––	212.186.191.177:80	http://212.186.191.177/P7uonWO4H	AT	image ––	494 b ––	malicious
2056	serialfunc.exe	POST	200	91.242.138.5:80	http://91.242.138.5/iP9QFNHepQbzGeVCkU	ES	text binary	509 b 1.33 Mb	malicious
2056	serialfunc.exe	POST	200	91.242.138.5:80	http://91.242.138.5/h7uQ9S1iDSAFneEDa	ES	text binary	544 b 148 b	malicious
2056	serialfunc.exe	POST	200	37.157.195.120:7080	http://37.157.195.120:7080/h7uQ9S1iDSAFneEDa	CZ	text binary	238 b 148 b	malicious
2056	serialfunc.exe	POST	––	37.157.195.120:7080	http://37.157.195.120:7080/VCv2iiejsVz	CZ	text ––	256 b ––	malicious
184	serialfunc.exe	POST	––	212.186.191.177:80	http://212.186.191.177/SutDnL5jV1	AT	text ––	505 b ––	malicious
184	serialfunc.exe	POST	200	91.242.138.5:80	http://91.242.138.5/eTEOp6Shioe1QxAWaIs	ES	text binary	516 b 708 Kb	malicious
184	serialfunc.exe	POST	200	91.242.138.5:80	http://91.242.138.5/RYkpFN6qk2DfUCxy	ES	text binary	505 b 148 b	malicious
184	serialfunc.exe	POST	––	37.157.195.120:7080	http://37.157.195.120:7080/RYkpFN6qk2DfUCxy	CZ	text ––	225 b ––	malicious
184	serialfunc.exe	POST	––	192.241.131.79:8080	http://192.241.131.79:8080/DLCctGAr2	US	text ––	224 b ––	malicious
184	serialfunc.exe	POST	200	217.149.241.121:8080	http://217.149.241.121:8080/tgHisYnG2Qzz4	PL	text binary	226 b 148 b	malicious
184	serialfunc.exe	POST	––	217.149.241.121:8080	http://217.149.241.121:8080/zBqGcHT	PL	text ––	250 b ––	malicious
184	serialfunc.exe	POST	––	37.157.195.120:7080	http://37.157.195.120:7080/tl8JOvKiX9Y7gXG8w	CZ	text ––	262 b ––	malicious
184	serialfunc.exe	POST	––	192.241.131.79:8080	http://192.241.131.79:8080/fKS2eyiZX	US	text ––	248 b ––	malicious
184	serialfunc.exe	POST	––	217.149.241.121:8080	http://217.149.241.121:8080/wAXHVPqMgc83WJXjt7	PL	text ––	253 b ––	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	ASN	CN	Reputation
2056	serialfunc.exe	212.186.191.177:80	Liberty Global Operations B.V.	AT	malicious
2056	serialfunc.exe	91.242.138.5:80	Visovision S.l.	ES	malicious
2056	serialfunc.exe	37.157.195.120:7080	WEDOS Internet, a.s.	CZ	malicious
184	serialfunc.exe	212.186.191.177:80	Liberty Global Operations B.V.	AT	malicious
184	serialfunc.exe	91.242.138.5:80	Visovision S.l.	ES	malicious
184	serialfunc.exe	37.157.195.120:7080	WEDOS Internet, a.s.	CZ	malicious
184	serialfunc.exe	192.241.131.79:8080	Digital Ocean, Inc.	US	malicious
184	serialfunc.exe	217.149.241.121:8080	ATM S.A.	PL	malicious

DNS requests

No DNS requests.

Threats

PID	Process	Class	Message
2056	serialfunc.exe	A Network Trojan was detected	ET TROJAN Win32/Emotet CnC Activity (POST) M5
2056	serialfunc.exe	A Network Trojan was detected	ET TROJAN Win32/Emotet CnC Activity (POST) M6
2056	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
2056	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
2056	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
2056	serialfunc.exe	A Network Trojan was detected	ET TROJAN Win32/Emotet CnC Activity (POST) M5
2056	serialfunc.exe	A Network Trojan was detected	ET TROJAN Win32/Emotet CnC Activity (POST) M6
2056	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
184	serialfunc.exe	A Network Trojan was detected	ET TROJAN Win32/Emotet CnC Activity (POST) M5
184	serialfunc.exe	A Network Trojan was detected	ET TROJAN Win32/Emotet CnC Activity (POST) M6
184	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
184	serialfunc.exe	A Network Trojan was detected	ET TROJAN Win32/Emotet CnC Activity (POST) M5
184	serialfunc.exe	A Network Trojan was detected	ET TROJAN Win32/Emotet CnC Activity (POST) M6
184	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
2056	serialfunc.exe	A Network Trojan was detected	ET TROJAN Win32/Emotet CnC Activity (POST) M5
2056	serialfunc.exe	A Network Trojan was detected	ET TROJAN Win32/Emotet CnC Activity (POST) M6
2056	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
184	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
184	serialfunc.exe	A Network Trojan was detected	ET TROJAN Win32/Emotet CnC Activity (POST) M5
184	serialfunc.exe	A Network Trojan was detected	ET TROJAN Win32/Emotet CnC Activity (POST) M6
184	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
184	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
184	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
184	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
184	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
184	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
184	serialfunc.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet

Debug output strings

No debug info.

General Info

jiazt

emotet

banker

trojan

stealer

Take your security to the next level

150c830e94d8ea723b7620ff20c47337

19c6fc075f1788c679dd55317302e2b264795763

703f3a385d5dfde1b277ddc8745cd0b854f4bbd2d3bf4d9ec1aca1aa84ae352b

6144:imtSfyuhgWlFcDGIrtHLkij3V4bSW6KRLPkWvtb:BSqORctrkiDV4o6Lb

Launch configuration

Software preset

Hotfixes

Behavior activities

Static information

Screenshots

Processes

Behavior graph

Process information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings

Take your security
to the next level