General Info

File name

123.exe

Full analysis
https://app.any.run/tasks/68459c01-619a-4506-9854-2277a3322560
Verdict
Malicious activity
Analysis date
7/11/2019, 17:46:34
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5

cb1c660658312dd77c68a8ce9102b8a0

SHA1

7e4fbbad202835954d10f113ed6774757d8c0398

SHA256

cb0b411cc1f6704c16f3a50aadc6384275ba5b2e17be0a69c632883d83d9cd35

SSDEEP

1536:J4ctAMwflmsolaTIrRuw+mqbz9j1MWLQsgZdO:dqM+lmsolAIrRuw+mqv9j1MWLQFZd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes settings of System certificates
  • 123.exe (PID: 3236)
Renames files like Ransomware
  • 123.exe (PID: 3236)
Executable content was dropped or overwritten
  • 123.exe (PID: 3236)
Creates files like Ransomware instruction
  • 123.exe (PID: 3236)
Manual execution by user
  • rundll32.exe (PID: 3668)
  • NOTEPAD.EXE (PID: 3724)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Generic CIL Executable (.NET, Mono, etc.) (63.1%)
.exe
|   Win64 Executable (generic) (23.8%)
.dll
|   Win32 Dynamic Link Library (generic) (5.6%)
.exe
|   Win32 Executable (generic) (3.8%)
.exe
|   Generic Win/DOS Executable (1.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:07:11 17:06:47+02:00
PEType:
PE32
LinkerVersion:
48
CodeSize:
114176
InitializedDataSize:
5632
UninitializedDataSize:
null
EntryPoint:
0x1dc6a
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
6
Subsystem:
Windows GUI
FileVersionNumber:
1.0.0.0
ProductVersionNumber:
1.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
Comments:
null
CompanyName:
windows
FileDescription:
Bulba
FileVersion:
1.0.0.0
InternalName:
Bulba.exe
LegalCopyright:
Copyright © 2019
LegalTrademarks:
null
OriginalFileName:
Bulba.exe
ProductName:
Bulba
ProductVersion:
1.0.0.0
AssemblyVersion:
1.0.0.0
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
11-Jul-2019 15:06:47
Comments:
null
CompanyName:
windows
FileDescription:
Bulba
FileVersion:
1.0.0.0
InternalName:
Bulba.exe
LegalCopyright:
Copyright © 2019
LegalTrademarks:
null
OriginalFilename:
Bulba.exe
ProductName:
Bulba
ProductVersion:
1.0.0.0
Assembly Version:
1.0.0.0
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
11-Jul-2019 15:06:47
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00002000 0x0001BC78 0x0001BE00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 4.67063
.rsrc 0x0001E000 0x0000120C 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.80835
.reloc 0x00020000 0x0000000C 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 0.10191
Resources
1

Imports
    mscoree.dll

Exports

    No exports.

Screenshots

Processes

Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start 123.exe rundll32.exe no specs notepad.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3236
CMD
"C:\Users\admin\AppData\Local\Temp\123.exe"
Path
C:\Users\admin\AppData\Local\Temp\123.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
windows
Description
Bulba
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\123.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\psapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscorlib.dll
c:\windows\microsoft.net\assembly\gac_msil\system\v4.0_4.0.0.0__b77a5c561934e089\system.dll
c:\windows\microsoft.net\assembly\gac_msil\system.drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.drawing.dll
c:\windows\microsoft.net\assembly\gac_msil\system.configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.configuration.dll
c:\windows\microsoft.net\assembly\gac_msil\system.core\v4.0_4.0.0.0__b77a5c561934e089\system.core.dll
c:\windows\microsoft.net\assembly\gac_msil\system.xml\v4.0_4.0.0.0__b77a5c561934e089\system.xml.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll

PID
3668
CMD
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\youoffers.rtf.Pox
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll

PID
3724
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\HOW TO DECRYPT FILES.txt
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll

Registry activity

Total events
89
Read events
61
Write events
28
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3236
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASAPI32
EnableFileTracing
0
3236
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASAPI32
EnableConsoleTracing
0
3236
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASAPI32
FileTracingMask
4294901760
3236
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASAPI32
ConsoleTracingMask
4294901760
3236
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASAPI32
MaxFileSize
1048576
3236
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASAPI32
FileDirectory
%windir%\tracing
3236
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASMANCS
EnableFileTracing
0
3236
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASMANCS
EnableConsoleTracing
0
3236
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASMANCS
FileTracingMask
4294901760
3236
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASMANCS
ConsoleTracingMask
4294901760
3236
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASMANCS
MaxFileSize
1048576
3236
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASMANCS
FileDirectory
%windir%\tracing
3236
123.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3236
123.exe
write
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\339CDD57CFD5B141169B615FF31428782D1DA639
Blob
030000000100000014000000339CDD57CFD5B141169B615FF31428782D1DA63914000000010000001400000090AF6A3A945A0BD890EA125673DF43B43A28DAE704000000010000001000000083E10465B722EF33FF0B6F535E8D996B0F00000001000000300000005EDE0695F52AA1ECF55B329CB3917D3569F231309F37C7ECC4AFE6578DC9121EE316F056EA9C0C31112DF82AA9010247190000000100000010000000C6EFF83E98DCB29BAF3BCB857D7C5A7518000000010000001000000082218FFB91733E64136BE5719F57C3A120000000010000000C06000030820608308203F0A00302010202102B2E6EEAD975366C148A6EDBA37C8C07300D06092A864886F70D01010C0500308185310B3009060355040613024742311B30190603550408131247726561746572204D616E636865737465723110300E0603550407130753616C666F7264311A3018060355040A1311434F4D4F444F204341204C696D69746564312B302906035504031322434F4D4F444F205253412043657274696669636174696F6E20417574686F72697479301E170D3134303231323030303030305A170D3239303231313233353935395A308190310B3009060355040613024742311B30190603550408131247726561746572204D616E636865737465723110300E0603550407130753616C666F7264311A3018060355040A1311434F4D4F444F204341204C696D69746564313630340603550403132D434F4D4F444F2052534120446F6D61696E2056616C69646174696F6E205365637572652053657276657220434130820122300D06092A864886F70D01010105000382010F003082010A02820101008EC20219E1A059A4EB38358D2CFD01D0D349C064C70B620545163AA8A0C00C027F1DCCDBC4A16D7703A30F86F9E3069C3E0B818A9B491BAD03BEFA4BDB8C20EDD5CE5E658E3E0DAF4CC2B0B7455E522F34DE482464B441AE0097F7BE67DE9ED07AA753803B7CADF596556F97470A7C858B22978DB384E09657D0701860968FEE2D07939DA1BACAD1CD7BE9C42A9A2821914D6F924F25A5F27A35DD26DC46A5D0AC59358CFF4E9143503F59931E6C5121EE5814ABFE7550783E4CB01C8613FA6B98BCE03B941E8552DC039324186ECB275145E670DE2543A40DE14AA5EDB67EC8CD6DEE2E1D27735DDC453080AAE3B2410BAFBD4487DAB9E51B9D7FAEE58582A50203010001A382016530820161301F0603551D23041830168014BBAF7E023DFAA6F13C848EADEE3898ECD93232D4301D0603551D0E0416041490AF6A3A945A0BD890EA125673DF43B43A28DAE7300E0603551D0F0101FF04040302018630120603551D130101FF040830060101FF020100301D0603551D250416301406082B0601050507030106082B06010505070302301B0603551D200414301230060604551D20003008060667810C010201304C0603551D1F044530433041A03FA03D863B687474703A2F2F63726C2E636F6D6F646F63612E636F6D2F434F4D4F444F52534143657274696669636174696F6E417574686F726974792E63726C307106082B0601050507010104653063303B06082B06010505073002862F687474703A2F2F6372742E636F6D6F646F63612E636F6D2F434F4D4F444F525341416464547275737443412E637274302406082B060105050730018618687474703A2F2F6F6373702E636F6D6F646F63612E636F6D300D06092A864886F70D01010C050003820201004E2B764F921C623689BA77C12705F41CD6449DA99A3EAAD56666013EEA49E6A235BCFAF6DD958E9935980E361875B1DDDD50727CAEDC7788CE0FF79020CAA3672E1F567F7BE144EA4295C45D0D01504615F28189596C8ADD8CF112A18D3A428A98F84B347B273B08B46F243B729D6374583C1A6C3F4FC7119AC8A8F5B537EF1045C66CD9E05E9526B3EBADA3B9EE7F0C9A66357332604EE5DD8A612C6E5211776896D318755115001B7488DDE1C738044328E916FDD905D45D472760D6FB383B6C72A294F8421ADFED6F068C45C20600AAE4E8DCD9B5E17378ECF623DCD1DD6C8E1A8FA5EA547C96B7C3FE558E8D495EFC64BBCF3EBD96EB69CDBFE048F1628210E50C4657F233DAD0C863EDC61F9405964A1A91D1F7EBCF8F52AE0D08D93EA8A051E9C18774D5C9F774AB2E53FBBB7AFB97E2F81F268FB3D2A0E0375B283B31E50E572D5AB8AD79AC5E20661AA5B9A6B539C1F59843FFEEF9A7A7FDEECA243D8016C4178F8AC160A10CAE5B4347914BD59A175FF9D487C1C28CB7E7E20F30193786ACE0DC4203E694A89DAEFD0F245194CE9208D1FC50F003407B8859ED0EDDACD2778234DC069502D890F92DEA37D51A60D06720D7D8420B45AF8268DEDD66243790299419461925B880D7CBD486286A4470262362A99F866FBFBA9070D256778578EFEA25A917CE50728C003AAAE3DB63349FF8067101E28220D4FE6FBDB1
3236
123.exe
write
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Blob
030000000100000014000000F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0140000000100000014000000BBAF7E023DFAA6F13C848EADEE3898ECD93232D40400000001000000100000001EDAF9AE99CE2920667D0E9A8B3F8C9C0F00000001000000300000007CE102D63C57CB48F80A65D1A5E9B350A7A618482AA5A36775323CA933DDFCB00DEF83796A6340DEC5EBF7596CFD8E5D19000000010000001000000082218FFB91733E64136BE5719F57C3A118000000010000001000000045ED9BBC5E43D3B9ECD63C060DB78E5C200000000100000078050000308205743082045CA00302010202102766EE56EB49F38EABD770A2FC84DE22300D06092A864886F70D01010C0500306F310B300906035504061302534531143012060355040A130B416464547275737420414231263024060355040B131D41646454727573742045787465726E616C20545450204E6574776F726B312230200603550403131941646454727573742045787465726E616C20434120526F6F74301E170D3030303533303130343833385A170D3230303533303130343833385A308185310B3009060355040613024742311B30190603550408131247726561746572204D616E636865737465723110300E0603550407130753616C666F7264311A3018060355040A1311434F4D4F444F204341204C696D69746564312B302906035504031322434F4D4F444F205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010091E85492D20A56B1AC0D24DDC5CF446774992B37A37D23700071BC53DFC4FA2A128F4B7F1056BD9F7072B7617FC94B0F17A73DE3B00461EEFF1197C7F4863E0AFA3E5CF993E6347AD9146BE79CB385A0827A76AF7190D7ECFD0DFA9C6CFADFB082F4147EF9BEC4A62F4F7F997FB5FC674372BD0C00D689EB6B2CD3ED8F981C14AB7EE5E36EFCD8A8E49224DA436B62B855FDEAC1BC6CB68BF30E8D9AE49B6C6999F878483045D5ADE10D3C4560FC32965127BC67C3CA2EB66BEA46C7C720A0B11F65DE4808BAA44EA9F283463784EBE8CC814843674E722A9B5CBD4C1B288A5C227BB4AB98D9EEE05183C309464E6D3E99FA9517DA7C3357413C8D51ED0BB65CAF2C631ADF57C83FBCE95DC49BAF4599E2A35A24B4BAA9563DCF6FAAFF4958BEF0A8FFF4B8ADE937FBBAB8F40B3AF9E843421E89D884CB13F1D9BBE18960B88C2856AC141D9C0AE771EBCF0EDD3DA996A148BD3CF7AFB50D224CC01181EC563BF6D3A2E25BB7B204225295809369E88E4C65F191032D707402EA8B671529695202BBD7DF506A5546BFA0A328617F70D0C3A2AA2C21AA47CE289C064576BF821827B4D5AEB4CB50E66BF44C867130E9A6DF1686E0D8FF40DDFBD042887FA3333A2E5C1E41118163CE18716B2BECA68AB7315C3A6A47E0C37959D6201AAFF26A98AA72BC574AD24B9DBB10FCB04C41E5ED1D3D5E289D9CCCBFB351DAA747E584530203010001A381F43081F1301F0603551D23041830168014ADBD987A34B426F7FAC42654EF03BDE024CB541A301D0603551D0E04160414BBAF7E023DFAA6F13C848EADEE3898ECD93232D4300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF30110603551D20040A300830060604551D200030440603551D1F043D303B3039A037A0358633687474703A2F2F63726C2E7573657274727573742E636F6D2F416464547275737445787465726E616C4341526F6F742E63726C303506082B0601050507010104293027302506082B060105050730018619687474703A2F2F6F6373702E7573657274727573742E636F6D300D06092A864886F70D01010C0500038201010064BF83F15F9A85D0CDB8A129570DE85AF7D1E93EF276046EF15270BB1E3CFF4D0D746ACC818225D3C3A02A5D4CF5BA8BA16DC4540975C7E3270E5D847937401377F5B4AC1CD03BAB1712D6EF34187E2BE979D3AB57450CAF28FAD0DBE5509588BBDF8557697D92D852CA7381BF1CF3E6B86E661105B31E942D7F91959259F14CCEA391714C7C470C3B0B19F6A1B16C863E5CAAC42E82CBF90796BA484D90F294C8A973A2EB067B239DDEA2F34D559F7A6145981868C75E406B23F5797AEF8CB56B8BB76F46F47BF13D4B04D89380595AE041241DB28F15605847DBEF6E46FD15F5D95F9AB3DBD8B8E440B3CD9739AE85BB1D8EBCDC879BD1A6EFF13B6F10386F
3724
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosX
66
3724
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosY
66
3724
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDX
960
3724
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDY
501

Files activity

Executable files
1
Suspicious files
21
Text files
1
Unknown types
12

Dropped files

PID
Process
Filename
Type
3236
123.exe
C:\admin\Systems\local.exe
executable
MD5: cb1c660658312dd77c68a8ce9102b8a0
SHA256: cb0b411cc1f6704c16f3a50aadc6384275ba5b2e17be0a69c632883d83d9cd35
3236
123.exe
C:\Users\admin\Documents\includingmichael.rtf
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34DA60AA966CD9270C5362E6AEF824CF
der
MD5: 83e10465b722ef33ff0b6f535e8d996b
SHA256: 02ab57e4e67a0cb48dd2ff34830e8ac40f4476fb08ca6be3f5cd846f646840f0
3236
123.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34DA60AA966CD9270C5362E6AEF824CF
binary
MD5: 441ab534c70b0ec536cd724d2d491da6
SHA256: faa02864289fab31104d2081761d42aaaa1f0008dd75c4f7e058be9aa88e18a8
3236
123.exe
C:\Users\admin\Desktop\HOW TO DECRYPT FILES.txt
text
MD5: b817661349dba849215313d132b8a8f1
SHA256: 826ef587c1c2448f6526f06eefb564ffd9e698734e5e7247a18f5a680170a0e6
3236
123.exe
C:\Users\admin\Pictures\papertrying.png.Pox
mp3
MD5: 29617cdcf642fbcae5f3ca72fe7bfb82
SHA256: ed854d30986d3a61b7b34e5c1ca1a8b1640b8c6395f1976ae8defc400e8af75a
3236
123.exe
C:\Users\admin\Pictures\papertrying.png
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Pictures\outdoornavigation.jpg.Pox
binary
MD5: 0dbc8bd795c16d5824fe5f6a2582087e
SHA256: 91b38c21360a29bd2040f084dfba68e50424d2bc39aa460f8bed75e556369115
3236
123.exe
C:\Users\admin\Pictures\outdoornavigation.jpg
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Pictures\jobvery.png.Pox
mp3
MD5: 78b180dbb2557b77279e029e04e4005d
SHA256: 2bf9c56f4e7c99fa2ddeb21f645145916651693e7d29855a1c901d3a51c05a9c
3236
123.exe
C:\Users\admin\Pictures\jobvery.png
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Pictures\familyarchive.png.Pox
mp3
MD5: 565e948a1304fe55a7a88701b5a2c871
SHA256: d27275386470759af6adfec76e5cf8ad0455b27758c71b8764b09c84ee6e6cd6
3236
123.exe
C:\Users\admin\Pictures\familyarchive.png
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Pictures\existingarchives.jpg.Pox
binary
MD5: 4d972410ff192a9dbf965a96de52da70
SHA256: 940039caf7d74f260f7c03e1ced2cd1b435c0883369a15f7ecec4ce3577f2fc6
3236
123.exe
C:\Users\admin\Pictures\existingarchives.jpg
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Pictures\chairwall.png.Pox
mp3
MD5: 6a0a26d14f312a8dd8e573b5304f70bf
SHA256: 46aa62c72705a401cb9cab8c2b075566ed83708b9597729a98e5d541fcb47ad9
3236
123.exe
C:\Users\admin\Pictures\chairwall.png
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Pictures\beradio.png.Pox
mp3
MD5: 092f83f21a9c1585555874599ac4d658
SHA256: f6c5bbdc2f0c38fe927593f489712a5e5d1e8fc930898c17147e77a9b6195591
3236
123.exe
C:\Users\admin\Pictures\beradio.png
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Downloads\outmountain.png.Pox
mp3
MD5: 93ef04e1f463ac507080b53d329b5898
SHA256: 21d3ce74f31672d0de42060c989354decd1bf02a42c449580bca0c96056f8a13
3236
123.exe
C:\Users\admin\Downloads\outmountain.png
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Downloads\culturalsecure.png.Pox
mp3
MD5: 2dc5a8b321ac591824daf3023d0547ab
SHA256: b86d56962243536673f31b8767abc54b303b292e555146565e602cfaa392e1a7
3236
123.exe
C:\Users\admin\Downloads\culturalsecure.png
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Downloads\changedpain.png.Pox
mp3
MD5: 3607de7b67126a812c03c5fcd5d20cce
SHA256: 6de17f999d7b29003db8873057e0f8c7b7b6078a9576868e2f39c53c476143cb
3236
123.exe
C:\Users\admin\Downloads\changedpain.png
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Downloads\bothmike.jpg.Pox
binary
MD5: beb2c04c54c793cb8adf28ddeb1d4b75
SHA256: 958c7618559b5945bb13b65f9ec1823a58bab2557754efb2b12a636961e5ca63
3236
123.exe
C:\Users\admin\Downloads\bothmike.jpg
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Documents\trackhosting.rtf.Pox
binary
MD5: d4afe548dffbc91100312085067170de
SHA256: c281d4fd5a4cadac347d387e871eef83dfc390c16472d1d6990d14eeb91dc6d3
3236
123.exe
C:\Users\admin\Documents\trackhosting.rtf
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Documents\registereddivision.rtf.Pox
binary
MD5: 033c4a269be18e78ae3e1df2890503d8
SHA256: e700b26d4bc2c2932b186c57257585cbf1a3a823c5c2029bac97dc766e986afa
3236
123.exe
C:\Users\admin\Documents\registereddivision.rtf
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Documents\includingmichael.rtf.Pox
binary
MD5: 4406d70827159778c8e75b17e54e8b80
SHA256: f5d2d4780b4f6b2cbdb1c7efa42018974b1350f52580d13be9d5e8fe3efe66dd
3236
123.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928
binary
MD5: 06225f7f41837dcfa085cc4dd45ab6d1
SHA256: 9723edcd4e86f40fffe18405678556fa364968cffbcd9e995e5ae59dabe7b5c7
3236
123.exe
C:\Users\admin\Documents\guidelinesthose.rtf.Pox
binary
MD5: 1f8f1d854acd1bb217716f9342dd7c28
SHA256: 3edd21984d9c6a7093413df6789c6c611233ae281205e84906e9c978e2dbc537
3236
123.exe
C:\Users\admin\Documents\guidelinesthose.rtf
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Documents\completedmillion.rtf.Pox
binary
MD5: 22b2478b0684fe4412b7462981c5ff03
SHA256: 5659ae678b10b127863af95db0395c70697a3cf6a9752a7d2773c66c3010ba36
3236
123.exe
C:\Users\admin\Documents\completedmillion.rtf
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Documents\additionadd.rtf.Pox
binary
MD5: af89917a194c15ffbec44a4f8b309136
SHA256: 4c3263b33eaba076bc8c5cd7a532d4bffdabf84e44c347b88f8dcf40c801d1aa
3236
123.exe
C:\Users\admin\Documents\additionadd.rtf
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Contacts\admin.contact.Pox
binary
MD5: 0849e7cb565c0480bfbaa2f96329b44d
SHA256: f7924fb737ca034c636628668dd896a796ae5aa054975b7b70ee9415bf58210b
3236
123.exe
C:\Users\admin\Contacts\admin.contact
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Links\RecentPlaces.lnk.Pox
binary
MD5: 0f2247f3f9a0c39dae190d3f0072a933
SHA256: e7d886a8e6694c77fdba91b6a430061d66de970058f4b7de53e4e02c5f9bcddb
3236
123.exe
C:\Users\admin\Links\RecentPlaces.lnk
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Links\Downloads.lnk.Pox
binary
MD5: 21710b26373a4160d539fa9097563713
SHA256: 1b38b39ad1d126518fcabeea3516000a06023a69df85bcf5417148aa1f41f81a
3236
123.exe
C:\Users\admin\Links\Downloads.lnk
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Links\Desktop.lnk.Pox
binary
MD5: 59d8955f37ec9c617257914b6a72e6ac
SHA256: 556c3404a314d1f532b0017c03aa0f91913ea0da1ac8716589ca1d3b9ad7da85
3236
123.exe
C:\Users\admin\Links\Desktop.lnk
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Desktop\youoffers.rtf.Pox
binary
MD5: b81def2de294ac01c7755ec4e3bc5121
SHA256: c1176551aa4d6406df5b253ad676fbd695a766bff54762de410ceb267e979a50
3236
123.exe
C:\Users\admin\Desktop\youoffers.rtf
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Desktop\xxxlog.png.Pox
mp3
MD5: 4ce9302f6e7283089216333ad217e340
SHA256: be81f1d5df5e447f2a333505425b5e471f7333084a3f4498f0df67565b047de1
3236
123.exe
C:\Users\admin\Desktop\xxxlog.png
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Desktop\themun.jpg.Pox
binary
MD5: 4ddd246b816f31580834e0e9beb7083c
SHA256: 6c87b10064d937a65bfe7c472ee991e2818ef9e32a7601bcb5352642d5888ba3
3236
123.exe
C:\Users\admin\Desktop\themun.jpg
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Desktop\taxsmith.jpg.Pox
binary
MD5: 8573f8205ea6f8b1064b58de0ec06956
SHA256: 8debfe72fe9d001a60a7e0198032fce9086d3a18d5764c44e6416aba0d05ed29
3236
123.exe
C:\Users\admin\Desktop\taxsmith.jpg
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Desktop\proteindelivery.rtf.Pox
binary
MD5: e08adc7d55c62cacbcf7b4c76cf88c34
SHA256: eb3a4cb6783ebad1a8f11f1426debddb63972ab98b27741a9565da22e7304895
3236
123.exe
C:\Users\admin\Desktop\proteindelivery.rtf
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Desktop\ohuser.png.Pox
mp3
MD5: 96f11233d9f79c33bfa82d740a87b62c
SHA256: ccbe10e2185bb70dc0ab442f229b049161309b0e6d90fcf9f348c855b097bf05
3236
123.exe
C:\Users\admin\Desktop\ohuser.png
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Desktop\careeractually.rtf.Pox
binary
MD5: 66db880e93b3fa3a2d93c86b74a1d20f
SHA256: 736834640f5c1f34e6e4129b6a117ea1074665e372e33fc9c311f6a72ffbc3a2
3236
123.exe
C:\Users\admin\Desktop\careeractually.rtf
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\Desktop\agencieswar.jpg.Pox
binary
MD5: 1d7ed3b4a5f1322a9ca1126a0af9fd61
SHA256: 420c9dd58351fc60e16bb9093a13d179184f8f4830165092a2dcfd419e48f5bb
3236
123.exe
C:\Users\admin\Desktop\agencieswar.jpg
––
MD5:  ––
SHA256:  ––
3236
123.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928
der
MD5: 1edaf9ae99ce2920667d0e9a8b3f8c9c
SHA256: 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
5
TCP/UDP connections
3
DNS requests
3
Threats
1

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3236 123.exe GET 200 91.199.212.52:80 http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt GB
der
whitelisted
3236 123.exe GET 200 91.199.212.52:80 http://crt.comodoca.com/COMODORSAAddTrustCA.crt GB
der
whitelisted
3236 123.exe GET 404 81.177.141.81:80 http://kingswagy.ru/Decrypter.exe RU
html
malicious
3236 123.exe GET 404 81.177.141.81:80 http://kingswagy.ru/Decrypter.exe RU
html
malicious
3236 123.exe GET 404 81.177.141.81:80 http://kingswagy.ru/ransom.jpg RU
html
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3236 123.exe 88.99.66.31:443 Hetzner Online GmbH DE suspicious
3236 123.exe 91.199.212.52:80 Comodo CA Ltd GB unknown
3236 123.exe 81.177.141.81:80 JSC RTComm.RU RU malicious

DNS requests

Domain IP Reputation
maper.info 88.99.66.31
malicious
crt.comodoca.com 91.199.212.52
whitelisted
kingswagy.ru 81.177.141.81
unknown

Threats

PID Process Class Message
3236 123.exe Potential Corporate Privacy Violation ET POLICY IP Logger Redirect Domain in SNI

Debug output strings

No debug info.