General Info

File name

a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069.exe

Full analysis
https://app.any.run/tasks/fc932fb3-ab52-4b92-897d-4d1d321a0534
Verdict
Malicious activity
Analysis date
4/14/2019, 19:55:55
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

trojan

ramnit

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

7ffabd09dc6b720c5b13e61c798f6fb6

SHA1

82d11cb1bc5d93df0c555b4e2912f796c1d3eb8d

SHA256

a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069

SSDEEP

49152:HVHFXSFEmqiDqCbS1gickVsPTpuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuTuuus:HVHFXSCmqsSgfkVsNuuuuuuuuuuuuuuc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069mgr.exe (PID: 3840)
Writes to a start menu file
  • iexplore.exe (PID: 2432)
Changes the login/logoff helper path in the registry
  • iexplore.exe (PID: 2432)
RAMNIT was detected
  • iexplore.exe (PID: 2432)
Connects to CnC server
  • iexplore.exe (PID: 2432)
Starts Internet Explorer
  • a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069mgr.exe (PID: 3840)
Creates files in the program directory
  • iexplore.exe (PID: 2432)
Executable content was dropped or overwritten
  • a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069.exe (PID: 2996)
Creates files in the user directory
  • iexplore.exe (PID: 2432)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   InstallShield setup (46.6%)
.exe
|   Win64 Executable (generic) (29.9%)
.scr
|   Windows screen saver (14.1%)
.exe
|   Win32 Executable (generic) (4.8%)
.exe
|   Generic Win/DOS Executable (2.1%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2005:08:27 22:49:50+02:00
PEType:
PE32
LinkerVersion:
7.1
CodeSize:
1294336
InitializedDataSize:
1089536
UninitializedDataSize:
null
EntryPoint:
0x247000
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
8.0.22.0
ProductVersionNumber:
8.0.22.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Dynamic link library
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
CompanyName:
Macromedia, Inc.
FileDescription:
Macromedia Flash Player 8.0 r22
FileVersion:
8,0,22,0
InternalName:
Macromedia Flash Player 8.0
LegalCopyright:
Copyright © 1996-2005 Macromedia, Inc.
LegalTrademarks:
Macromedia Flash Player
OriginalFileName:
SAFlashPlayer.exe
ProductName:
Shockwave Flash
ProductVersion:
8,0,22,0
Debugger:
null
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
27-Aug-2005 20:49:50
Detected languages
Chinese - PRC
Chinese - Taiwan
English - United States
French - France
German - Germany
Italian - Italy
Japanese - Japan
Korean - Korea
Spanish - Spain (International sort)
CompanyName:
Macromedia, Inc.
FileDescription:
Macromedia Flash Player 8.0 r22
FileVersion:
8,0,22,0
InternalName:
Macromedia Flash Player 8.0
LegalCopyright:
Copyright © 1996-2005 Macromedia, Inc.
LegalTrademarks:
Macromedia Flash Player
OriginalFilename:
SAFlashPlayer.exe
ProductName:
Shockwave Flash
ProductVersion:
8,0,22,0
Debugger:
0
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000100
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
27-Aug-2005 20:49:50
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00247000 0x0001C000 0x0001C000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.58975
.rdata 0x0013D000 0x00017C84 0x00018000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.20051
.data 0x00155000 0x000D2908 0x0000E000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.20645
.rsrc 0x00228000 0x0001E918 0x0001F000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.43723
Resources
1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

200

202

401

403

500

501

502

570

602

604

608

610

613

9101

Imports
    WSOCK32.dll

    WININET.dll

    CRYPT32.dll

    VERSION.dll

    WINMM.dll

    KERNEL32.dll

    USER32.dll

    GDI32.dll

    comdlg32.dll

    ADVAPI32.dll

    SHELL32.dll

    ole32.dll

    OLEAUT32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
34
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

+
drop and start start a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069.exe a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069mgr.exe no specs #RAMNIT iexplore.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2996
CMD
"C:\Users\admin\AppData\Local\Temp\a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069.exe"
Path
C:\Users\admin\AppData\Local\Temp\a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Macromedia, Inc.
Description
Macromedia Flash Player 8.0 r22
Version
8,0,22,0
Modules
Image
c:\users\admin\appdata\local\temp\a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069mgr.exe
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\cryptbase.dll

PID
3840
CMD
C:\Users\admin\AppData\Local\Temp\a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069mgr.exe
Path
C:\Users\admin\AppData\Local\Temp\a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069mgr.exe
Indicators
No indicators
Parent process
a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Avira GmbH
Description
AntiVir Command Line Scanner for Windows
Version
7.6.0.59
Modules
Image
c:\users\admin\appdata\local\temp\a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069mgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\~tm6572.tmp
c:\users\admin\appdata\local\temp\~tm6583.tmp
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\apphelp.dll

PID
2432
CMD
"C:\Program Files\Internet Explorer\iexplore.exe"
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069mgr.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll

Registry activity

Total events
75
Read events
14
Write events
61
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2996
a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.swf
ShockwaveFlash.ShockwaveFlash
2996
a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.spl
ShockwaveFlash.ShockwaveFlash
2996
a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.flv
FlashVideo.FlashVideo
2432
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
C:\Windows\system32\userinit.exe,,C:\Program Files\vkjsglxp\enbfqohg.exe

Files activity

Executable files
1
Suspicious files
0
Text files
0
Unknown types
22

Dropped files

PID
Process
Filename
Type
2996
a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069.exe
C:\Users\admin\AppData\Local\Temp\a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069mgr.exe
executable
MD5: 7657fcb7d772448a6d8504e4b20168b8
SHA256: 54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71
2432
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Leame.htm
html
MD5: 7f42990c58c467b84d90ed69c521d793
SHA256: 8130bf84d10ffae95fcc996da7a5865fc277080983a3bf1fa4ca1189f2a3127d
2432
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Lisezmoi.htm
html
MD5: e0decd84273c9a596ac838a86ec0ba27
SHA256: 5602875003bcd34da074e7b2f31250d618025a637fa794d29b68460dfb8d595e
2432
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Liesmich.htm
html
MD5: 4e9b4f5e19869e45e953cbcb9eaa7ddc
SHA256: 08d8ef547b68f08bc8e571f8e83681ae1c620fa57778bc35d0c0d48cc6d9b0ac
2432
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LeiaMe.htm
html
MD5: 43df1006834ead4906a7e33e0ba34918
SHA256: e1baf680e6ca93da77947f8636aa69b2433496edbb5929f56de943bf6f9a93f0
2432
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Leggimi.htm
html
MD5: 20ec5e81d13a3dc35100b9aad4673e10
SHA256: ac59163a8496df6850a99e05532dbe65db583673895481b981cd3fed9c4913ad
2432
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LeesMij.htm
html
MD5: 7938909f2243cfa5e876e67c1a821260
SHA256: 6862e2c63d0e2e91f611634cd7cf0914d4067112f4745d79c9604b7447485bb7
2432
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LueMinut.htm
html
MD5: 584958fcbbc0d4002636d1278a7ddf91
SHA256: 7313846fa328edac0f10b1e74148ca31e49bffa852a15722f35541719d1f39fa
2432
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\IrakHau.htm
html
MD5: 8d576a8b6d589a8065d2b77706c282cf
SHA256: 7d08ac2903311db5ee57d612d0357ec2e34472447059e9aff2673adaf8a24a86
2432
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Berime.htm
html
MD5: 58adcd3267fb93e9f054cc2e5c1656e7
SHA256: 7feb5e4d4420e0e551b33ab45a803585e99640da90da7e4d392fb2e284f09d74
2432
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Benioku.htm
html
MD5: 81489eb43035638b18690d63fa78dfd8
SHA256: 208363ef41cc448bc9fdd497c36aad110c7cc4cb951aabbb40b74ce5929d5379
2432
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enbfqohg.exe
––
MD5:  ––
SHA256:  ––
3840
a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069mgr.exe
C:\Users\admin\AppData\Local\Temp\~TM6583.tmp
––
MD5:  ––
SHA256:  ––
3840
a201cc7c30d90aabedce65d8c03d2e9c5d58ae13b39283a8f98ef41bf6939069mgr.exe
C:\Users\admin\AppData\Local\Temp\~TM6572.tmp
––
MD5:  ––
SHA256:  ––
2432
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Llegiu-me.htm
html
MD5: cdd9f00937dd97bb2d472a161b5b4537
SHA256: 73fb0ae2e95c6db57c31c856e0d0f2dee9b94b7c527c6e6cfd350dff30c0253f

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
11
Threats
2

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
2432 iexplore.exe 216.58.207.46:80 Google Inc. US whitelisted
2432 iexplore.exe 82.112.184.197:443 Vysokie tehnologii Limited Liability Company RU malicious

DNS requests

Domain IP Reputation
google.com 216.58.207.46
whitelisted
stromoliks.com No response unknown
promoliks.com No response unknown
pornoliks.com No response unknown
fkjdeljfeew32233.com 82.112.184.197
malicious

Threats

PID Process Class Message
2432 iexplore.exe A Network Trojan was detected ET TROJAN Win32/Ramnit Checkin
2432 iexplore.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Ramnit Checkin

Debug output strings

No debug info.