General Info

File name

a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif

Full analysis
https://app.any.run/tasks/c1220509-fd3c-43a2-8d0c-fac258476f1d
Verdict
Malicious activity
Analysis date
12/6/2018, 16:11:43
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

zbot

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

ea71dbe6410ad29740839f1892d65256

SHA1

e2bc6d6d7907a834839aa96f3c6175f314687af2

SHA256

a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8

SSDEEP

12288:gGD4yVDBfzoR33+3861WscDYjHa3Vr4kDVCWN+lqavY/ZGZ0fbJlNuMoKmn4hSM/:2OWrz3RT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
on
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Modifies the Internet Explorer registry keys for privacy or tracking
  • dwm.exe (PID: 2004)
Application was injected by another process
  • explorer.exe (PID: 236)
  • dwm.exe (PID: 2004)
  • windanr.exe (PID: 2156)
Actions looks like stealing of personal data
  • dwm.exe (PID: 2004)
Connects to CnC server
  • explorer.exe (PID: 236)
Runs injected code in another process
  • accy.exe (PID: 3732)
  • dwm.exe (PID: 2004)
Changes internet zones settings
  • dwm.exe (PID: 2004)
Changes the autorun value in the registry
  • dwm.exe (PID: 2004)
Executable content was dropped or overwritten
  • WinMail.exe (PID: 1524)
  • a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe (PID: 2076)
Drops self deleting batch file
  • a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe (PID: 2076)
Application launched itself
  • accy.exe (PID: 3884)
  • a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe (PID: 3640)
Creates files in the user directory
  • explorer.exe (PID: 236)
  • a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe (PID: 2076)
Starts itself from another location
  • a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe (PID: 2076)
Reads internet explorer settings
  • WinMail.exe (PID: 1524)
Connects to server without host name
  • explorer.exe (PID: 236)
Starts CMD.EXE for commands execution
  • a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe (PID: 2076)
Reads Internet Cache Settings
  • explorer.exe (PID: 236)
  • WinMail.exe (PID: 1524)
Reads settings of System Certificates
  • explorer.exe (PID: 236)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable Microsoft Visual Basic 6 (90.6%)
.exe
|   Win32 Executable (generic) (4.9%)
.exe
|   Generic Win/DOS Executable (2.2%)
.exe
|   DOS Executable Generic (2.2%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2005:12:17 04:18:49+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
585728
InitializedDataSize:
28672
UninitializedDataSize:
null
EntryPoint:
0x171c
OSVersion:
4
ImageVersion:
6.9
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
6.9.0.1
ProductVersionNumber:
6.9.0.1
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
Comments:
MEDICINELAKE6
CompanyName:
HOLOCRINE2
FileDescription:
Kunggari
ProductName:
Dannye2
FileVersion:
6.09.0001
ProductVersion:
6.09.0001
InternalName:
Sparke
OriginalFileName:
Sparke.exe
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
17-Dec-2005 03:18:49
Detected languages
English - United States
Comments:
MEDICINELAKE6
CompanyName:
HOLOCRINE2
FileDescription:
Kunggari
ProductName:
Dannye2
FileVersion:
6.09.0001
ProductVersion:
6.09.0001
InternalName:
Sparke
OriginalFilename:
Sparke.exe
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000B8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
17-Dec-2005 03:18:49
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0008E8F8 0x0008F000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.91899
.data 0x00090000 0x00000B48 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x00091000 0x00005C5A 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.41153
Resources
1

30001

30002

30003

30004

30005

30006

30007

30008

30009

30010

30011

30012

30013

30014

Imports
    MSVBVM60.DLL

Exports

    No exports.

Screenshots

Processes

Total processes
37
Monitored processes
9
Malicious processes
6
Suspicious processes
0

Behavior graph

+
start inject inject inject a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe no specs a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe accy.exe no specs accy.exe no specs cmd.exe no specs dwm.exe winmail.exe explorer.exe windanr.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2004
CMD
"C:\Windows\system32\Dwm.exe"
Path
C:\Windows\System32\dwm.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Desktop Window Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmredir.dll
c:\windows\system32\dwmcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ole32.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\system\wab32.dll
c:\windows\system32\cryptdlg.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\msoert2.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\propsys.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\windows mail\msoe.dll
c:\windows\system32\atl.dll
c:\windows\system32\msoeacct.dll
c:\windows\system32\inetcomm.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\esent.dll
c:\windows\system32\msidcrl30.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\inetres.dll
c:\windows\system32\acctres.dll
c:\program files\windows mail\msoeres.dll

PID
236
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\windows\system32\gameux.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wer.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\thumbcache.dll
c:\users\admin\desktop\a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\program files\windows sidebar\sbdrop.dll
c:\program files\common files\system\wab32res.dll
c:\windows\system32\display.dll
c:\program files\windows sidebar\sidebar.exe
c:\windows\system32\themecpl.dll
c:\program files\windows journal\journal.exe
c:\windows\system32\netapi32.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
2156
CMD
"windanr.exe"
Path
C:\Windows\system32\windanr.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\windanr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winanr.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winsanr.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\secur32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll

PID
3640
CMD
"C:\Users\admin\Desktop\a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe"
Path
C:\Users\admin\Desktop\a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
HOLOCRINE2
Description
Kunggari
Version
6.09.0001
Modules
Image
c:\users\admin\desktop\a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll

PID
2076
CMD
C:\Users\admin\Desktop\a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe"
Path
C:\Users\admin\Desktop\a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
Indicators
Parent process
a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
HOLOCRINE2
Description
Kunggari
Version
6.09.0001
Modules
Image
c:\users\admin\desktop\a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\omis\accy.exe

PID
3884
CMD
"C:\Users\admin\AppData\Roaming\Omis\accy.exe"
Path
C:\Users\admin\AppData\Roaming\Omis\accy.exe
Indicators
No indicators
Parent process
a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
HOLOCRINE2
Description
Kunggari
Version
6.09.0001
Modules
Image
c:\users\admin\appdata\roaming\omis\accy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll

PID
3732
CMD
C:\Users\admin\AppData\Roaming\Omis\accy.exe"
Path
C:\Users\admin\AppData\Roaming\Omis\accy.exe
Indicators
No indicators
Parent process
accy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
HOLOCRINE2
Description
Kunggari
Version
6.09.0001
Modules
Image
c:\users\admin\appdata\roaming\omis\accy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll

PID
1840
CMD
"C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\tmp4128d286.bat"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
1524
CMD
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
Path
C:\Program Files\Windows Mail\WinMail.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Mail
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\windows mail\winmail.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msoert2.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\windows mail\msoe.dll
c:\windows\system32\atl.dll
c:\windows\system32\msoeacct.dll
c:\windows\system32\inetcomm.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\esent.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\msidcrl30.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\inetres.dll
c:\windows\system32\acctres.dll
c:\windows\system32\psapi.dll
c:\program files\windows mail\msoeres.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mlang.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msident.dll
c:\windows\system32\pstorec.dll
c:\program files\common files\system\wab32.dll
c:\windows\system32\cryptdlg.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msftedit.dll
c:\program files\common files\system\wab32res.dll
c:\windows\system32\profapi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\programdata\microsoft\identitycrl\ppcrlconfig.dll
c:\programdata\microsoft\identitycrl\ppcrlui.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll
c:\windows\system32\mssprxy.dll

Registry activity

Total events
2891
Read events
1961
Write events
930
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2004
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy
CleanCookies
0
2004
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1406
0
2004
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1609
0
2004
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1406
0
2004
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1609
0
2004
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
{CA6A9F13-8623-94BE-79D9-5E19FF04467F}
C:\Users\admin\AppData\Roaming\Omis\accy.exe
2004
dwm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Odcu
Kuviucz
48C808DEEDBBE0452745BEE142E1AEAFC0C0F7430F93B84BD8070BD73368295E4D85458286342FBC1131BD8CFE47214D74FF42F5DF55A184F4403B1D5C573910469034353FA0ACF315E7A5B621017327174B9540F8E9C83F472765FCE9342ED872BE1847FF3D7095A9C3E150B757EED023C7672F
236
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
236
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Program Files\Common Files\System\wab32res.dll,-4602
Contact file
236
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\System32\display.dll,-4
S&creen resolution
236
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Program Files\Windows Sidebar\sidebar.exe,-11100
&Gadgets
236
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@"C:\Program Files\Windows Journal\Journal.exe",-3072
Journal Document
236
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\system32\themecpl.dll,-10
Pe&rsonalize
236
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Classes
.accdb
236
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
~reserved~
0800000000000600
236
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
236
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
236
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Odcu
Kuviucz
48C808DEEDBBE0452745BEE142E1AEAFC0C0F7430F93B84BD8070BD73368295E4D85458286342FBC1131BD8CFE47214D74FF42F5DF55A184F4403B1D5C573910469034353FA0ACF315E7A5B621017327174B9540F8E9C83F472765FCE9342ED872BE1847FF3D7095A9C3E150B757EED023C7672F
236
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Odcu
Kuviucz
48C808DEEDBBE0452745BEE142E1AEAFC0C0F7430F93B84BD8070BD73368295E4D85458286342FBC1131BD8CFE47214D74FF3CDEDF55A184F4403B1D5C573910469034353FA0ACF315E7A5B621017327174B9540F8E9C83F472765FCE9342ED872BE1847FF3D7095A9C3E150B757EED023C7672F
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
APPSTARTING
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
ARROW
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
CROSS
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
HAND
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
HELP
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
IBEAM
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
NO
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZEALL
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZENESW
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZENS
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZENWSE
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZEWE
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
UPARROW
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
WAIT
%SystemRoot%\cursors\clearcur.cur
2156
windanr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Odcu
Kuviucz
48C808DEEDBBE0452745BEE142E1AEAFC0C0F7430F93B84BD8070BD73368295E4D85458286342FBC1131BD8CFE47214D74FF3CDEDF55A184F4403B1D5C573910469034353FA0ACF315E7A5B621017327174B9540F8E9C83F472765FCE9342ED872BE1847FF3D7095A9C3E150B757EED023C7672F
3732
accy.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Odcu
Kuviucz
48C808DEEDBBE0452745BEE142E1AEAFC0C0F7430F93B84BD8070BD73368295E4D85458286342FBC1131BD8CFE47214D74FF3CDEDF55A184F4403B1D5C573910469034353FA0ACF315E7A5B621017327174B9540F8E9C83F472765FCE9342ED872BE1847FF3D7095A9C3E150B757EED023C7672F
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\IAM\Accounts
ConnectionSettingsMigrated
1
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Trident\Main
Move System Caret
no
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
StoreMigratedV5
1
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
Settings Upgraded
10
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Mail
Safe Attachments
1
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Mail
Secure Safe Attachments
1
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
Running
1
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\IAM
Server ID
2
1524
WinMail.exe
write
HKEY_CURRENT_USER\Identities
Identity Ordinal
2
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
LastBackup
E2070C00040006000F000E000B002003
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
V7StoreMigDone
01000000
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\IAM
Default News Account
account{30CE7C98-AA27-4327-91CA-78FA20FFA850}.oeaccount
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WAB
NamedProps
0420060000000000C00000000000004604000000000000800E0000000100330032003800350034000000000001800E0000000100330032003800350035000000000002800E0000000100330032003800350036000000000003800E0000000100330032003800350037000000
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WAB
NamedPropCount
1
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WAB
NamedProps
0420060000000000C00000000000004604000000000000800E0000000100330032003800350034000000000001800E0000000100330032003800350035000000000002800E0000000100330032003800350036000000000003800E0000000100330032003800350037000000813284C18505D011B29000AA003CF6760B000000000004800E0000000100330032003700360039000000000005800E0000000100330032003700370030000000000006800E0000000100330032003700370031000000000007800E0000000100330032003700370032000000000008800E0000000100330032003700370033000000000009800E000000010033003200370037003400000000000A800E000000010033003200370037003500000000000B800E000000010033003200370037003600000000000C800E000000010033003200370037003700000000000D800E000000010033003200370037003800000000000E800E0000000100330032003700370039000000
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WAB
NamedPropCount
2
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WAB
NamedProps
0420060000000000C00000000000004607000000000000800E0000000100330032003800350034000000000001800E0000000100330032003800350035000000000002800E0000000100330032003800350036000000000003800E000000010033003200380035003700000000000F800E0000000100330032003800310032000000000010800E0000000100330032003800310033000000000011800E0000000100330032003800310034000000813284C18505D011B29000AA003CF6760B000000000004800E0000000100330032003700360039000000000005800E0000000100330032003700370030000000000006800E0000000100330032003700370031000000000007800E0000000100330032003700370032000000000008800E0000000100330032003700370033000000000009800E000000010033003200370037003400000000000A800E000000010033003200370037003500000000000B800E000000010033003200370037003600000000000C800E000000010033003200370037003700000000000D800E000000010033003200370037003800000000000E800E0000000100330032003700370039000000
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WAB
NamedProps
0420060000000000C00000000000004608000000000000800E0000000100330032003800350034000000000001800E0000000100330032003800350035000000000002800E0000000100330032003800350036000000000003800E000000010033003200380035003700000000000F800E0000000100330032003800310032000000000010800E0000000100330032003800310033000000000011800E0000000100330032003800310034000000000012800E0000000100330032003800300032000000813284C18505D011B29000AA003CF6760B000000000004800E0000000100330032003700360039000000000005800E0000000100330032003700370030000000000006800E0000000100330032003700370031000000000007800E0000000100330032003700370032000000000008800E0000000100330032003700370033000000000009800E000000010033003200370037003400000000000A800E000000010033003200370037003500000000000B800E000000010033003200370037003600000000000C800E000000010033003200370037003700000000000D800E000000010033003200370037003800000000000E800E0000000100330032003700370039000000
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Mail
Welcome Message
0
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Junk Mail\Safe Senders List
Version
327680
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Junk Mail\Block Senders List
Version
327680
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Value
01000000D08C9DDF0115D1118C7A00C04FC297EB010000003DB655491DA5AB4F93D45894187BF456000000002600000050005000430052004C002000440079006E0061006D00690063002000530061006C007400000010660000000100002000000075E8CF4AF33D3B526F17F552DF55824B50ED1CC27094639D762976826652619F000000000E80000000020000200000009A2CEF8CA125209968670D0A8FA36233FE527BF57036E97D1F9EECA45A4C371E500000007CA6298CC24E1DDD4FE84B8D9BD7C1BD127A131BFBA14887C90AD797D18B6E7599C37EF69E339B974F240FB93845D1194B9CD34603A527EDABF62A627B68DF84CECD93339FBF666AB707D685FFB6D9E8400000001AA427A81EF3A9D43F8801D828BD9B5EAF8ADC06887C0F38DD578BC3945CE4ADBB6E79DC3F380DC5EBED2FA4A4C6681095478B005FE3D1AD341E1CC3FE9B4C23
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Size
330
1524
WinMail.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
SpoolerDlgPos
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF64010000790000009C03000038010000
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
SpoolerTack
0
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail\Mail
Default_CodePage
28591
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
Compact Check Count
2
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
LastRun
6CFF725B768DD401
1524
WinMail.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Mail
Running
0

Files activity

Executable files
2
Suspicious files
16
Text files
20
Unknown types
6

Dropped files

PID
Process
Filename
Type
1524
WinMail.exe
C:\Users\admin\AppData\Local\Temp\ppcrlui_1524_2
executable
MD5: 046a9363a58f8c4105e5871a514b63cc
SHA256: c1f80d9e281441239c5f40d8ae18a867b2d517385d16fd05c122a0b2716cba56
2076
a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
C:\Users\admin\AppData\Roaming\Omis\accy.exe
executable
MD5: ea59591d2f5d3974f392aef84b0e46f6
SHA256: 60e6efd5287a8ef2bb5f2beb099dae81ceb207618fcb537be125f572dd43cef3
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\48BD0A63-00000001.eml:OECustomProperty
pc1
MD5: c56772f2c31395959cd03a44b0cc9d98
SHA256: 5a147e289db68bb4689a7d8683845531b09dae7069bc7e47d24c46c45c47b578
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: b372794222c509582a283f976d8bfdb5
SHA256: 868c1a5b6c819eae31f6e7330f4d18e03990cba7173572283611b80199d23d56
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: f4689351d7e7aa41e4acdd4c8062cd8e
SHA256: 471385d6d6753bf1cfcb35709f5124880bc71cf29e9984ec2345b047dcce06b7
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 601d7d9f4cbb527720777d9f3a7e33d0
SHA256: 301877a15a31c7fe0c3fecbea974c9f7a259950d641a1edeade907d4f2370587
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 393298223d964a0518b702de4a724633
SHA256: 006dcb2978cc6f30d357858fe676751c35cf4b0b2159313a72046abf1fad3195
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 11ba51b1e175b3cf98615374f24ce75e
SHA256: c5b73328bcf85a8753e98fa22f47c47248be7c604909845a5f89faec1b5c9b9b
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: a0dbf3d49450bd914c3eeb7ba71f8b18
SHA256: ab47e38d894658e0f8ec6e08143fe4cbffa27c4c1bdf2808011f72a2c9edae05
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 8e7a01f412859f41077b0deac9296aac
SHA256: 50248a1f06abd512233d62d146488a81a1331a24ccab12b19eb87ac0b6ac31fb
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 68ba950690c9580766205793974de842
SHA256: ea305d1e4d25bcf70f9e3d3213046a13526faac977506a64299286655eb960e7
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 520712097cac9ef065633488a9fceb45
SHA256: 5d77f28cb6aa0e3a0ae221d602b018cea1c00172645a485d43eb85e6cb5aa35f
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: cfab14fea66032655fcf61315e8b0fc0
SHA256: 6b6b6ffbee9d78b38c3ce8fae61ad4fe75ba6ebe64d6750893b3133351a58b3a
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 4eec4a7faa558acdb354b5f67eb13f4d
SHA256: 9dc58b7e9b08d989f9fbb65a9b2581514b0de44a3b3aeb2450bdcf9371ab4533
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: e10c4ae5eec035c1e238087ed9e53cae
SHA256: e8d9190e918c6d39b0079c1319cb0c48c985734347b4bc0fb11b3a337f21d3ae
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: c3fd6a3350b30a6589b501a61468acfa
SHA256: 785f6491e2a97a90c85c7c30493ebc479a88e9dca7cef8d0d8c360fc8f3153fb
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 8dc4156bd0514ead6b42a9d8f2e1565e
SHA256: eb25cf39631b6001be2080796664830921def13799cf925858e5b56a5a531054
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
––
MD5:  ––
SHA256:  ––
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 1e828c95e6df625e36638741255b13e9
SHA256: f057c4353427bdbd34f987b7b932a897a354ed2f1c5e80f46f41788ac93f4c08
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 1dd8f8004ba2a8e989343086f3838d44
SHA256: 78b30e58737f00726305b5a0f6bdbbe4987f3e53685230eded6196f218775718
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
236
explorer.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\config[1].bin
––
MD5:  ––
SHA256:  ––
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.chk
binary
MD5: f7a6148bc9e0d1bf924208c6c9afd2d3
SHA256: fea8f4a64f0952e4f491e0d4d1c821916a2edd32087a86cbf290c0f291158df5
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
edb
MD5: d9eebf998ed1f9e6d2a91f25297ab138
SHA256: e78c662ed3baaeffa21fb79786a928c386adbbf0089ab54c6e64bddce5ca318b
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log
binary
MD5: 2060fa38ff90b2d669069887e84cced0
SHA256: e46503b47ba8a052fa7db533cd34a3f74ece82b9f719419ccb4c68b8785cebfc
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\tmp.edb
––
MD5:  ––
SHA256:  ––
236
explorer.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\webhp[1].txt
––
MD5:  ––
SHA256:  ––
3640
a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
C:\Users\admin\AppData\Local\Temp\~DF9C531F164F1365E8.TMP
binary
MD5: 116e4f6ac8f93d10b2607ec50ccbe1ba
SHA256: 90ed1f1d88c0b992e7a12c0aa37ff1e92f59db02de485b341872d8495b600232
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\48BD0A63-00000001.eml
eml
MD5: bc61bd60e8c7899156d8c23366281aab
SHA256: 6eba6bc3ee78cbae1f514bbbde0f5bc082a265e4181c10758cd4ca13216f0f67
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Microsoft Communities\account{30CE7C98-AA27-4327-91CA-78FA20FFA850}.oeaccount
xml
MD5: 55e3e8579db5f3ce6a7355d8ad8b84b9
SHA256: 5ea5b63a0eeb81c9ee0a52213d43125c2e3cebac97cfad811eef9f45a282e6be
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol
binary
MD5: a5a0f30be56681f64a28a7ba72226ede
SHA256: 3eee27c62fc3440d58c3be414473a41809a372d2f9174cf0db3059e21cc50225
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol
binary
MD5: 60a3b6592de01a4cb2e07da218c9f34b
SHA256: 8ad29c309236f0210e3ae7af8adedf1642a9e561498f9320b50cec8938ee8b83
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol
binary
MD5: 639576daa0ec432482adc290db5da4cc
SHA256: b56d2c191a46cb8e816ba1b23daed89947628dbaefe28b430412b1e507ad9161
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol
binary
MD5: 4bcbf3ae2db0f8aee8e792fd9ba8da7f
SHA256: 1a17f24f9d36e0abe7e2c7c1ad06e30e9ebe674ed2e2e2e0fb9fd451c4d64b51
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol
binary
MD5: 1d1a60631efcf505795fb06471cb6a48
SHA256: 87eed194d869f1dec6ebf639e985101abad37f6e5a347237a1b056b2dcbfc481
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol
binary
MD5: 9ef0149faeff67aa41da62c9a4b3226c
SHA256: 4b8d7dcc16f962586f50184b40e8ad4d2b6e1980eccace178bc4b4d645751e49
236
explorer.exe
C:\Users\admin\AppData\Roaming\Lyarun\iqub.tmp
binary
MD5: 78f2a8444cacc6a9e3687a334623745c
SHA256: 429a116147d82b817a37080342de1388f1fff24108ed8d51448c2dada37a8756
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\new
––
MD5:  ––
SHA256:  ––
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat
––
MD5:  ––
SHA256:  ––
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log
––
MD5:  ––
SHA256:  ––
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat
dbf
MD5: b9be6bab798d2c530882386cf752e32d
SHA256: 20e1ad91684e14dfb8ee3099d006f885a5183cfd584df67ec8ce204f2acc5577
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edbtmp.log
––
MD5:  ––
SHA256:  ––
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log
––
MD5:  ––
SHA256:  ––
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb00002.log
binary
MD5: b18e06995cd240cb755e9d58e48e8a93
SHA256: 554c4787033eb31e6fe07ed5861c9894e09f7d53521d06823215c31b77c8651f
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.chk
binary
MD5: 549efce849a769b23539349fd4d4daf2
SHA256: c7a9a7ca758e14fbbf1bd0952385cee02ad80ba31d8a894e434acc767f2031d5
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore
edb
MD5: 420fd2438599bd8319a5dc1c3c9a4fce
SHA256: 72ecc6f158434a4a26c53757215a49c080fb8c95fed19b065668defc9401529c
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\Backup\old\
––
MD5:  ––
SHA256:  ––
1524
WinMail.exe
C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
––
MD5:  ––
SHA256:  ––
2004
dwm.exe
C:\Users\admin\AppData\Roaming\Lyarun\iqub.law
binary
MD5: 78f2a8444cacc6a9e3687a334623745c
SHA256: 429a116147d82b817a37080342de1388f1fff24108ed8d51448c2dada37a8756
2004
dwm.exe
C:\Users\admin\AppData\Roaming\Lyarun\iqub.law
binary
MD5: bb562625eb5194ea935e874c00ab943b
SHA256: 11111491bebae9b46af93cb33c4a35c1e3d1b83ccd13bb1e69a975e1549ae298
2076
a1565cb5e3a92dede041005fa0600cb844f17041bcd596ab10cee62148b7aeb8.pif.exe
C:\Users\admin\AppData\Local\Temp\tmp4128d286.bat
text
MD5: 9402f24759177c7adcaccc84ee72419a
SHA256: a96e75227572d3471c0c43de1d7bb261a540314fdd1ff6cba2fea5d5dd4642db
3884
accy.exe
C:\Users\admin\AppData\Local\Temp\~DFB52B1D1A2F5488C5.TMP
binary
MD5: 116e4f6ac8f93d10b2607ec50ccbe1ba
SHA256: 90ed1f1d88c0b992e7a12c0aa37ff1e92f59db02de485b341872d8495b600232
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 17ac630aa50b9ceebb0a785b9eff62b6
SHA256: 4262740d9ba8caae94a1ec01dd769a59a40f4a8f229ec8ea494295f90a94de70
236
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 6a17ad31d87fbb9f6073b7355e9fc522
SHA256: 3970b3681766b93e337abdcdd7cc0cecc51939c15abf1cae231bd2817e011562

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
31
TCP/UDP connections
41
DNS requests
1
Threats
110

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
236 explorer.exe GET 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/config.bin BZ
binary
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious
236 explorer.exe GET 302 216.58.213.196:80 http://www.google.com/webhp US
html
whitelisted
236 explorer.exe POST 200 31.220.2.120:80 http://31.220.2.120/~chuxtr/abj/server/gate.php BZ
binary
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
236 explorer.exe 31.220.2.120:80 Amarutu Technology Ltd BZ malicious
236 explorer.exe 216.58.213.196:80 Google Inc. US whitelisted
236 explorer.exe 216.58.213.196:443 Google Inc. US whitelisted

DNS requests

Domain IP Reputation
www.google.com 216.58.213.196
whitelisted

Threats

PID Process Class Message
236 explorer.exe A Network Trojan was detected ET TROJAN Possible Zbot Activity Common Download Struct
236 explorer.exe A Network Trojan was detected ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin
236 explorer.exe A Network Trojan was detected ET TROJAN Generic .bin download from Dotted Quad
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
236 explorer.exe A Network Trojan was detected ET TROJAN Zeus Bot GET to Google checking Internet connectivity
236 explorer.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
236 explorer.exe A Network Trojan was detected ET TROJAN Zbot POST Request to C2
236 explorer.exe A Network Trojan was detected ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
236 explorer.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1

Debug output strings

No debug info.