File name:

02600004

Full analysis: https://app.any.run/tasks/1a59f975-ca66-4487-bdb7-cd5654dffab4
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Analysis date: August 09, 2021, 23:56:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
backdoor
qbot
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

1408275C2E2C8FE5E83227BA371AC6B3

SHA1:

DAC3D479CE4AF6D2FFD5314191E768543ACFE32D

SHA256:

CC185105946C202D9FD0EF18423B078CD8E064B1E2A87E93ED1B3D4F2CBDB65D

SSDEEP:

6144:1mkhfOCMFhvKnJP1flVS3Di3DMFOJJJJJJJJ8JJJJJJJJJJJJJJJJJJJJJJJJJJY:in+lQDiwFPZg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • 02600004.exe (PID: 2612)
    • Application was injected by another process

      • Explorer.EXE (PID: 1896)
      • conhost.exe (PID: 2500)
      • taskeng.exe (PID: 776)
      • Dwm.exe (PID: 600)
      • SearchProtocolHost.exe (PID: 908)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2484)
    • Runs injected code in another process

      • 02600004.exe (PID: 2612)
      • ebgqylu.exe (PID: 2368)
    • Changes internet zones settings

      • ebgqylu.exe (PID: 2368)
    • Loads the Task Scheduler COM API

      • mmc.exe (PID: 2872)
    • QBOT was detected

      • iexplore.exe (PID: 1328)
    • Connects to CnC server

      • iexplore.exe (PID: 1328)
  • SUSPICIOUS

    • Reads the computer name

      • 02600004.exe (PID: 2612)
      • ebgqylu.exe (PID: 2368)
      • conhost.exe (PID: 2500)
      • cmd.exe (PID: 2484)
    • Checks supported languages

      • ebgqylu.exe (PID: 2368)
      • conhost.exe (PID: 2500)
      • 02600004.exe (PID: 2612)
      • cmd.exe (PID: 2484)
    • Starts CMD.EXE for self-deleting

      • Explorer.EXE (PID: 1896)
    • Drops a file that was compiled in debug mode

      • 02600004.exe (PID: 2612)
    • Reads Windows Product ID

      • 02600004.exe (PID: 2612)
      • ebgqylu.exe (PID: 2368)
    • Creates files in the user directory

      • 02600004.exe (PID: 2612)
    • Executable content was dropped or overwritten

      • 02600004.exe (PID: 2612)
    • Starts CMD.EXE for commands execution

      • Explorer.EXE (PID: 1896)
    • Starts Internet Explorer

      • Explorer.EXE (PID: 1896)
    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3612)
  • INFO

    • Checks supported languages

      • PING.EXE (PID: 2792)
      • mmc.exe (PID: 2872)
      • iexplore.exe (PID: 3612)
      • iexplore.exe (PID: 1328)
      • iexplore.exe (PID: 2624)
      • SearchProtocolHost.exe (PID: 908)
    • Manual execution by user

      • ebgqylu.exe (PID: 2368)
      • cmd.exe (PID: 2484)
      • mmc.exe (PID: 2132)
      • mmc.exe (PID: 2872)
      • iexplore.exe (PID: 1328)
    • Reads the computer name

      • PING.EXE (PID: 2792)
      • mmc.exe (PID: 2872)
      • iexplore.exe (PID: 3612)
      • SearchProtocolHost.exe (PID: 908)
      • iexplore.exe (PID: 1328)
      • iexplore.exe (PID: 2624)
    • Changes internet zones settings

      • iexplore.exe (PID: 1328)
    • Creates files in the user directory

      • iexplore.exe (PID: 1328)
      • iexplore.exe (PID: 3612)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3612)
      • iexplore.exe (PID: 1328)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 1328)
    • Application launched itself

      • iexplore.exe (PID: 1328)
      • iexplore.exe (PID: 3612)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3612)
      • iexplore.exe (PID: 1328)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3612)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3612)
      • iexplore.exe (PID: 1328)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1328)
      • iexplore.exe (PID: 3612)
    • Searches for installed software

      • iexplore.exe (PID: 1328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:11:21 21:03:38+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 335872
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.0
ProductVersionNumber: 2.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Windows NT
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Stencyl, LLC
FileDescription: Stencyl 2.0
FileVersion: 2
InternalName: Stencyl
LegalCopyright: Copyright, Stencyl, LLC
OriginalFileName: Stencyl.exe
ProductName: Stencyl
ProductVersion: 2

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 21-Nov-2014 20:03:38
Detected languages:
  • English - United States
  • Process Default Language
Debug artifacts:
  • import1.pdb
CompanyName: Stencyl, LLC
FileDescription: Stencyl 2.0
FileVersion: 2.0
InternalName: Stencyl
LegalCopyright: Copyright, Stencyl, LLC
OriginalFilename: Stencyl.exe
ProductName: Stencyl
ProductVersion: 2.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 21-Nov-2014 20:03:38
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DEBUG_STRIPPED
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005532
0x00006000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
4.94189
.rdata
0x00007000
0x00031A73
0x00032000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.19099
.data
0x00039000
0x0000033C
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.61026
.reloc
0x0003A000
0x00000407
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0003B000
0x0001D27C
0x0001E000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.19472

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.2335
672
UNKNOWN
Process Default Language
RT_VERSION
2
4.58513
67624
UNKNOWN
Process Default Language
RT_ICON
3
4.773
16936
UNKNOWN
Process Default Language
RT_ICON
4
4.47585
9640
UNKNOWN
Process Default Language
RT_ICON
5
4.61766
4264
UNKNOWN
Process Default Language
RT_ICON
6
4.85921
2440
UNKNOWN
Process Default Language
RT_ICON
7
5.02095
2064
UNKNOWN
Process Default Language
RT_ICON
8
5.03074
1128
UNKNOWN
Process Default Language
RT_ICON
10
1.79248
6
UNKNOWN
Process Default Language
RT_RCDATA
14
2.80735
7
UNKNOWN
Process Default Language
RT_RCDATA

Imports

KERNEL32.dll
SHLWAPI.dll
USER32.dll (delay-loaded)
WINMM.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
14
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start inject inject inject inject inject 02600004.exe ebgqylu.exe no specs cmd.exe no specs ping.exe no specs taskeng.exe dwm.exe conhost.exe mmc.exe no specs mmc.exe explorer.exe #QBOT iexplore.exe iexplore.exe iexplore.exe no specs searchprotocolhost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2612"C:\Users\admin\AppData\Local\Temp\02600004.exe" C:\Users\admin\AppData\Local\Temp\02600004.exe
Explorer.EXE
User:
admin
Company:
Stencyl, LLC
Integrity Level:
MEDIUM
Description:
Stencyl 2.0
Exit code:
0
Version:
2.0
Modules
Images
c:\users\admin\appdata\local\temp\02600004.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winmm.dll
2368"C:\Users\admin\AppData\Roaming\Microsoft\Ebgqylu\ebgqylu.exe"C:\Users\admin\AppData\Roaming\Microsoft\Ebgqylu\ebgqylu.exeExplorer.EXE
User:
admin
Company:
Stencyl, LLC
Integrity Level:
MEDIUM
Description:
Stencyl 2.0
Version:
2.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\roaming\microsoft\ebgqylu\ebgqylu.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2484cmd /c ping -n 10 localhost && del "C:\Users\admin\AppData\Local\Temp\02600004.exe"C:\Windows\system32\cmd.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\cmd.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2792ping -n 10 localhost C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
776taskeng.exe {22B6E91C-5B0B-4FB0-99A8-D59901096E38}C:\Windows\system32\taskeng.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Engine
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskeng.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
600"C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Desktop Window Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
2500\??\C:\Windows\system32\conhost.exe "92857863-1693453631032617958-101514155-237740995-521017290-2077688268-2067374097"\??\C:\Windows\system32\conhost.exe
csrss.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
2132"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
2872"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mfc42u.dll
1896C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
29 118
Read events
28 909
Write events
201
Delete events
8

Modification events

(PID) Process:(2612) 02600004.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:qxnds
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\Ebgqylu\ebgqylu.exe"
(PID) Process:(2368) ebgqylu.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Operation:writeName:2500
Value:
3
(PID) Process:(1896) Explorer.EXEKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1896) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ApplicationDestinations
Operation:writeName:MaxEntries
Value:
15
(PID) Process:(1896) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msc\OpenWithProgids
Operation:writeName:MSCFile
Value:
(PID) Process:(1896) Explorer.EXEKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:@C:\Windows\system32\mmcbase.dll,-13351
Value:
&Author
(PID) Process:(1896) Explorer.EXEKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:@%windir%\system32\miguiresource.dll,-202
Value:
Schedule computer tasks to run automatically.
(PID) Process:(1896) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:Zvpebfbsg.NhgbTrarengrq.{15962175-7QSP-O1Q7-O0Q1-RO4P08SSQ754}
Value:
000000000800000004000000D3380700000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFF0CBE7437A8DD70100000000
(PID) Process:(1896) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000003F0100006B020000D84611013F0000004A0000008E0F0D004D006900630072006F0073006F00660074002E0049006E007400650072006E00650074004500780070006C006F007200650072002E00440065006600610075006C007400000028003E004000A4E75102B8E651020000000000000000000000000000080274E45102000008026CE25102000000000000D26CFFFFFFFF705911750000000000000000A4E251027C900D75000400000000000008E35102FFFFFFFF38EA7000FFFFFFFF080A7400D80E740030EA7000D4E25102F7AF3D7680D0707614F05102081D3E76E4613E766820700008E351020000000071000000BBF2CB00E8E25102A1693E766820700008E351020000000014E551023F613E766820700008E3510200000400000000800400000026E4510298E351025DA5147726E45102D26E147779A51477D6794D7526E4510210E65102000100006400610072E3510226E451026F0061006D0069006E0067005C006D006900630072006F0073006F0066007400CCE351023400000080E35102DE70310033003300350033003800310030003000F8E551025A000000A0E351021DA71477D6610E02D4E351025A00000010E651025C00000011000000104F7000084F7000F8E55102C4E3510220E40000D7F3CB00D0E351025E903E7620E45102D4E3510203943E760000000064561802FCE35102A9933E7664561802A8E45102D8511802BD933E7600000000D8511802A8E4510204E45102000000007200000032AC5D004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E0043006F006E00740072006F006C00500061006E0065006C00000045003700430036004500410037004400320037007D005C0063006D0064002E0065007800650000000000D45D38760000000005000000D80B3902000000000000000000000000000000000000000000000000CB0501AD000000000000000000000000000000000000000000000000000000000000000030E69D01A8323876B8E59D01C0E59D0154E59D0100000000000000000000000000000000480B39020000000005000000D80B390200000000340C390268E59D01B0E59D010000000000000000E8B93902050000002000000000000000000000000400400000001A0098E59D0100000000000000000000000000000000040000009EE69D0110E69D015DA5B3779EE69D01D26EB37779A5B377114526769EE69D0188E89D0104000000C6E69D0138E69D015DA5B377C6E69D01D26EB37779A5B37739452676C6E69D01B0E89D0100010000E8FE1C0012E69D01C6E69D0168E69D015DA5310033003300350033003800310011000000104F1D00084F1D001AE79D018CE69D015DA5B37774E60000B777588D24E69D015E90D47674E69D0128E69D010394D47600000000D422E60250E69D01A993D476D422E602FCE69D01481EE602BD93D47600000000481EE602FCE69D0158E69D01000000007200000032AC5D004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E0043006F006E00740072006F006C00500061006E0065006C00000045003700430036004500410037004400320037007D005C0063006D0064002E0065007800650000000000D45D38760000000005000000D80B3902000000000000000000000000000000000000000000000000CB0501AD000000000000000000000000000000000000000000000000000000000000000030E69D01A8323876B8E59D01C0E59D0154E59D0100000000000000000000000000000000480B39020000000005000000D80B390200000000340C390268E59D01B0E59D010000000000000000E8B93902050000002000000000000000000000000400400000001A0098E59D0100000000000000000000000000000000040000009EE69D0110E69D015DA5B3779EE69D01D26EB37779A5B377114526769EE69D0188E89D0104000000C6E69D0138E69D015DA5B377C6E69D01D26EB37779A5B37739452676C6E69D01B0E89D0100010000E8FE1C0012E69D01C6E69D0168E69D015DA5310033003300350033003800310011000000104F1D00084F1D001AE79D018CE69D015DA5B37774E60000B777588D24E69D015E90D47674E69D0128E69D010394D47600000000D422E60250E69D01A993D476D422E602FCE69D01481EE602BD93D47600000000481EE602FCE69D0158E69D01
(PID) Process:(1896) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
Operation:writeName:{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Flfgrz Gbbyf\Gnfx Fpurqhyre.yax
Value:
00000000080000000000000007000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFF0CBE7437A8DD70100000000
Executable files
1
Suspicious files
21
Text files
162
Unknown types
14

Dropped files

PID
Process
Filename
Type
3612iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\social[1].csstext
MD5:B42B9C7E731408205B611FBB532F511F
SHA256:287E4C54269937C93EF680E0DCBAE4B5E3FF630A12698ACC7D2EB527B1598B79
3612iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\instagram[1].pngimage
MD5:95FD424420005BCBF324E0219845C132
SHA256:97E35ACCD166FFA4D0B84862E2F8C2C36B5B8433D7A20AF382DEE3F104087E77
3612iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:FEAFBE7312EFEE12BBFC8098A52D9CB8
SHA256:87AD745659F9E7F22C212C7BA8783E0B473CC9D29F03D79159F9C38B58BAB79F
3612iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\de-71d089[1].csstext
MD5:E86ABE78D0A0FEA5962432DD802E6F6A
SHA256:2DD894A94053B2B9B607C420F68387F960822B374C47D2250078A0772F72C19C
3612iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:9309A9769F57289B87C8BD232E5D7DE1
SHA256:71361D7A2D127C68111E23C5D778454B141441AA6877ABB266FA165D94BF8D48
3612iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEbinary
MD5:30668C62F71A4D8EBA6A919D41133EA2
SHA256:59DA73528DACD991A987FADCE5B0AD57709E856ED5289192337E860274555740
1328iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Ebgqylu\ebgqylu32.dllbinary
MD5:449D755623827588A9A2F8B898B23ECE
SHA256:991ACC5F42A097DB5A7D864F230597C9076F6AF7C02F9BBB562BFDE4A20F1232
3612iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\pl-pl[1].htmhtml
MD5:4A73DDEE1635D354E0E786B97601B9F2
SHA256:27E51056AA3F75BA5D917F603E16C8B4217FECE01B8D7719940EFDC19B575759
3612iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231der
MD5:13D6CE76B0307FA5C79A467CD6CF2044
SHA256:996144ACCC8077E2CC00241EB9F40CFA7B6ED245F2BB87FF77013660F6981D35
3612iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:DBD4631E9AC8B000AF8DE27C1C4C7F91
SHA256:7F06B412E32DCB8944F46C37878840AA6858F68D54562A0C026D7FB54AD47731
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
108
TCP/UDP connections
162
DNS requests
175
Threats
116

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1328
iexplore.exe
POST
200
23.217.138.108:80
http://eldmsznfvaerygcqxeqnnra.org/sRUmecm9ZIYSpfTO4RoJnVNi.php
US
html
407 b
malicious
1328
iexplore.exe
GET
200
23.55.163.73:80
http://crl.identrust.com/DSTROOTCAX3CRL.crl
US
der
1.16 Kb
whitelisted
3612
iexplore.exe
GET
302
104.79.89.142:80
http://www.microsoft.com/
US
whitelisted
1328
iexplore.exe
GET
200
104.117.200.9:80
http://x1.c.lencr.org/
US
der
717 b
whitelisted
1328
iexplore.exe
GET
200
23.55.163.48:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgOJmhpORegA9EYQOcKkSXcmlg%3D%3D
US
der
503 b
shared
3612
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
3612
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
3612
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
3612
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA9bw6F2y3ieICDHiTyBZ7Q%3D
US
der
1.47 Kb
whitelisted
1328
iexplore.exe
GET
301
213.186.33.5:80
http://forumity.com/show-ip.php
FR
html
162 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3612
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3612
iexplore.exe
13.107.246.45:443
mem.gfx.ms
Microsoft Corporation
US
suspicious
3612
iexplore.exe
13.107.213.45:443
mem.gfx.ms
Microsoft Corporation
US
suspicious
3612
iexplore.exe
67.26.137.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
malicious
3612
iexplore.exe
104.79.89.142:80
www.microsoft.com
Time Warner Cable Internet LLC
US
unknown
3612
iexplore.exe
104.79.89.142:443
www.microsoft.com
Time Warner Cable Internet LLC
US
unknown
3612
iexplore.exe
23.6.112.130:443
img-prod-cms-rt-microsoft-com.akamaized.net
Akamai International B.V.
NL
unknown
1328
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1328
iexplore.exe
172.217.18.110:80
google.com
Google Inc.
US
whitelisted
3612
iexplore.exe
40.77.226.250:443
web.vortex.data.microsoft.com
Microsoft Corporation
IE
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 104.79.89.142
whitelisted
ctldl.windowsupdate.com
  • 67.26.137.254
  • 8.253.204.249
  • 67.27.157.126
  • 8.241.122.126
  • 8.253.95.121
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
assets.onestore.ms
  • 173.223.112.240
whitelisted
web.vortex.data.microsoft.com
  • 40.77.226.250
whitelisted
mem.gfx.ms
  • 13.107.213.45
  • 13.107.246.45
whitelisted
img-prod-cms-rt-microsoft-com.akamaized.net
  • 23.6.112.130
  • 23.6.112.153
whitelisted
wcpstatic.microsoft.com
  • 13.107.246.45
  • 13.107.213.45
whitelisted
microsoftwindows.112.2o7.net
  • 13.36.218.177
  • 15.188.95.229
  • 15.236.176.210
whitelisted
c.s-microsoft.com
  • 23.47.209.178
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
90 ETPRO signatures available at the full report
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn