General Info

File name

SPAM2.zip

Full analysis
https://app.any.run/tasks/b463a247-0b16-4307-b5d2-c11ed54aa00f
Verdict
Malicious activity
Analysis date
10/9/2019, 15:06:03
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:

trojan

stealer

eredel

baldr

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

d0993b2df29528ffee79d50a52bd4a08

SHA1

34fd23f4729e2a6b63d8d1dc311188d2188e6ef9

SHA256

db29691e24f2660ddb8c7eeb4e5b50d0c96c65806ce6b94958cc57f90deaee2a

SSDEEP

98304:CxFOmH/EmaB8knUxODI4/Fe5nWplHsQ1aNNGyTnWEPgoZm3DM:SImHfaBZnPDNgCH31aNNGyTnDPgIm3DM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
545 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
on
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.18860 KB4052978
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • Adobe Flash Player 27 ActiveX (27.0.0.187)
  • Adobe Flash Player 27 NPAPI (27.0.0.187)
  • Adobe Flash Player 27 PPAPI (27.0.0.187)
  • CCleaner (5.35)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Professional 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Single Image 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
  • Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
  • Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
  • Mozilla Maintenance Service (67.0.4)
  • Notepad++ (64-bit x64) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (64-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506014
  • KB2506212
  • KB2506928
  • KB2509553
  • KB2532531
  • KB2533552
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2563227
  • KB2564958
  • KB2579686
  • KB2585542
  • KB2585542 SP1
  • KB2598845
  • KB2603229
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2656356 SP1
  • KB2660075
  • KB2667402
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2706045
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2732059
  • KB2732487
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2763523
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2789645 SP1
  • KB2791765
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813430
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2884256
  • KB2888049
  • KB2891804
  • KB2892074
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2966583
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2973351
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2985461
  • KB2991963
  • KB2992611
  • KB3003743
  • KB3004361
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3035132
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075220
  • KB3076895
  • KB3078601
  • KB3078667
  • KB3080149
  • KB3084135
  • KB3086255
  • KB3092601
  • KB3092627
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3107998
  • KB3108371
  • KB3108381
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3115858 SP1
  • KB3122648
  • KB3124275
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3155178
  • KB3156016
  • KB3156019
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3161958
  • KB3170735
  • KB3170735 SP1
  • KB3172605
  • KB3177467
  • KB3179573
  • KB3184143
  • KB4019990
  • KB4040980
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 1 for KB2656356
  • Package 1 for KB2789645
  • Package 1 for KB3115858
  • Package 1 for KB3170735
  • Package 2 for KB2585542
  • Package 2 for KB2656356
  • Package 2 for KB2789645
  • Package 2 for KB3115858
  • Package 2 for KB3170735
  • Package 3 for KB2585542
  • Package 3 for KB2656356
  • Package 4 for KB2656356
  • Package 4 for KB2789645
  • Package 5 for KB2656356
  • Package 7 for KB2656356
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • stepa.asyx.rulogin (1).exe (PID: 2260)
  • stepa.asyx.rulogin (2).exe (PID: 2124)
  • stepa.asyx.rulogin (3).exe (PID: 1420)
  • stepa.asyx.rulogin (4).exe (PID: 2156)
  • drawing.exe (PID: 2344)
Stealing of credential data
  • stepa.asyx.rulogin (2).exe (PID: 2124)
  • stepa.asyx.rulogin (1).exe (PID: 2260)
  • stepa.asyx.rulogin (3).exe (PID: 1420)
  • stepa.asyx.rulogin (4).exe (PID: 2156)
Connects to CnC server
  • stepa.asyx.rulogin (2).exe (PID: 2124)
  • stepa.asyx.rulogin (1).exe (PID: 2260)
  • stepa.asyx.rulogin (3).exe (PID: 1420)
  • stepa.asyx.rulogin (4).exe (PID: 2156)
Actions looks like stealing of personal data
  • stepa.asyx.rulogin (1).exe (PID: 2260)
  • stepa.asyx.rulogin (2).exe (PID: 2124)
  • stepa.asyx.rulogin (3).exe (PID: 1420)
  • stepa.asyx.rulogin (4).exe (PID: 2156)
EREDEL was detected
  • stepa.asyx.rulogin (1).exe (PID: 2260)
  • stepa.asyx.rulogin (3).exe (PID: 1420)
  • stepa.asyx.rulogin (2).exe (PID: 2124)
  • stepa.asyx.rulogin (4).exe (PID: 2156)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 1980)
  • stepa.asyx.rulogin (2).exe (PID: 2124)
Reads the cookies of Google Chrome
  • stepa.asyx.rulogin (1).exe (PID: 2260)
  • stepa.asyx.rulogin (2).exe (PID: 2124)
  • stepa.asyx.rulogin (3).exe (PID: 1420)
  • stepa.asyx.rulogin (4).exe (PID: 2156)
Uses WMIC.EXE to obtain a system information
  • stepa.asyx.rulogin (1).exe (PID: 2260)
  • stepa.asyx.rulogin (2).exe (PID: 2124)
  • stepa.asyx.rulogin (3).exe (PID: 1420)
  • stepa.asyx.rulogin (4).exe (PID: 2156)
Searches for installed software
  • stepa.asyx.rulogin (2).exe (PID: 2124)
  • stepa.asyx.rulogin (1).exe (PID: 2260)
  • stepa.asyx.rulogin (3).exe (PID: 1420)
  • stepa.asyx.rulogin (4).exe (PID: 2156)
Manual execution by user
  • WinRAR.exe (PID: 1980)
  • stepa.asyx.rulogin (1).exe (PID: 2260)
  • stepa.asyx.rulogin (2).exe (PID: 2124)
  • stepa.asyx.rulogin (3).exe (PID: 1420)
  • stepa.asyx.rulogin (4).exe (PID: 2156)
  • NOTEPAD.EXE (PID: 1452)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
Deflated
ZipModifyDate:
2019:10:09 15:04:04
ZipCRC:
0x6b5af83a
ZipCompressedSize:
1512447
ZipUncompressedSize:
1622016
ZipFileName:
stepa.asyx.rulogin (1).exe

Video and screenshots

Processes

Total processes
58
Monitored processes
12
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start drop and start winrar.exe no specs winrar.exe #EREDEL stepa.asyx.rulogin (1).exe wmic.exe no specs #EREDEL stepa.asyx.rulogin (2).exe wmic.exe no specs drawing.exe no specs #EREDEL stepa.asyx.rulogin (3).exe wmic.exe no specs #EREDEL stepa.asyx.rulogin (4).exe wmic.exe no specs notepad.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1856
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SPAM2.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll

PID
1980
CMD
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\SPAM2.zip" C:\Users\admin\Desktop\SPAM2\
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2260
CMD
"C:\Users\admin\Desktop\SPAM2\stepa.asyx.rulogin (1).exe"
Path
C:\Users\admin\Desktop\SPAM2\stepa.asyx.rulogin (1).exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\spam2\stepa.asyx.rulogin (1).exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\syswow64\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\syswow64\msvcr120_clr0400.dll
c:\windows\syswow64\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\syswow64\api-ms-win-core-xstate-l2-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wbem\wmic.exe
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_5c0be957a009922e\gdiplus.dll
c:\windows\syswow64\windowscodecs.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrcompression.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\rtutils.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\credssp.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll

PID
2864
CMD
"wmic" os get Caption /format:list
Path
C:\Windows\SysWOW64\Wbem\wmic.exe
Indicators
No indicators
Parent process
stepa.asyx.rulogin (1).exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\framedynos.dll
c:\windows\syswow64\wtsapi32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\wbem\wbemprox.dll
c:\windows\syswow64\wbemcomn.dll
c:\windows\syswow64\msxml3.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\program files (x86)\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\msvcr90.dll
c:\windows\syswow64\wbem\wbemsvc.dll
c:\windows\syswow64\wbem\fastprox.dll
c:\windows\syswow64\ntdsapi.dll
c:\windows\syswow64\wbem\xml\wmi2xml.dll

PID
2124
CMD
"C:\Users\admin\Desktop\SPAM2\stepa.asyx.rulogin (2).exe"
Path
C:\Users\admin\Desktop\SPAM2\stepa.asyx.rulogin (2).exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Apple Inc.
Description
libtidy.dll
Version
15.18.1.2330
Modules
Image
c:\users\admin\desktop\spam2\stepa.asyx.rulogin (2).exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\syswow64\msvcr120_clr0400.dll
c:\windows\syswow64\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\api-ms-win-core-xstate-l2-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wbem\wmic.exe
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\wpdshext.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_5c0be957a009922e\gdiplus.dll
c:\windows\syswow64\shdocvw.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\users\admin\appdata\local\temp\drawing.exe
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\crypt32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrcompression.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\rtutils.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\credssp.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll

PID
2716
CMD
"wmic" os get Caption /format:list
Path
C:\Windows\SysWOW64\Wbem\wmic.exe
Indicators
No indicators
Parent process
stepa.asyx.rulogin (2).exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\framedynos.dll
c:\windows\syswow64\wtsapi32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\wbem\wbemprox.dll
c:\windows\syswow64\wbemcomn.dll
c:\windows\syswow64\msxml3.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\program files (x86)\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\msvcr90.dll
c:\windows\syswow64\wbem\wbemsvc.dll
c:\windows\syswow64\wbem\fastprox.dll
c:\windows\syswow64\ntdsapi.dll
c:\windows\syswow64\wbem\xml\wmi2xml.dll

PID
2344
CMD
"C:\Users\admin\AppData\Local\Temp\drawing.exe" C:\Users\admin\AppData\Local\Temp\\cc0421e834a74a7fb35798ccd7055ab0
Path
C:\Users\admin\AppData\Local\Temp\drawing.exe
Indicators
No indicators
Parent process
stepa.asyx.rulogin (2).exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\drawing.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\b308b9c61f65cf2dfd876031ee385ba4\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\api-ms-win-core-xstate-l2-1-0.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system\095a3392942c3d4eb888e6a32036acd8\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\dcbadb02f6000b436f1cb0fb736df3ee\system.drawing.ni.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\oleaut32.dll

PID
1420
CMD
"C:\Users\admin\Desktop\SPAM2\stepa.asyx.rulogin (3).exe"
Path
C:\Users\admin\Desktop\SPAM2\stepa.asyx.rulogin (3).exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
ApiSet Stub DLL
Version
10.0.10137.0 (th1.150602-2238)
Modules
Image
c:\users\admin\desktop\spam2\stepa.asyx.rulogin (3).exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\syswow64\msvcr120_clr0400.dll
c:\windows\syswow64\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\api-ms-win-core-xstate-l2-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wbem\wmic.exe
c:\windows\syswow64\shell32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_5c0be957a009922e\gdiplus.dll
c:\windows\syswow64\windowscodecs.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrcompression.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\rtutils.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\credssp.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll

PID
1612
CMD
"wmic" os get Caption /format:list
Path
C:\Windows\SysWOW64\Wbem\wmic.exe
Indicators
No indicators
Parent process
stepa.asyx.rulogin (3).exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\framedynos.dll
c:\windows\syswow64\wtsapi32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\wbem\wbemprox.dll
c:\windows\syswow64\wbemcomn.dll
c:\windows\syswow64\msxml3.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\program files (x86)\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\msvcr90.dll
c:\windows\syswow64\wbem\wbemsvc.dll
c:\windows\syswow64\wbem\fastprox.dll
c:\windows\syswow64\ntdsapi.dll
c:\windows\syswow64\wbem\xml\wmi2xml.dll

PID
2156
CMD
"C:\Users\admin\Desktop\SPAM2\stepa.asyx.rulogin (4).exe"
Path
C:\Users\admin\Desktop\SPAM2\stepa.asyx.rulogin (4).exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\spam2\stepa.asyx.rulogin (4).exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\syswow64\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\syswow64\msvcr120_clr0400.dll
c:\windows\syswow64\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\syswow64\api-ms-win-core-xstate-l2-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\wbem\wmic.exe
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_5c0be957a009922e\gdiplus.dll
c:\windows\syswow64\windowscodecs.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrcompression.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\rtutils.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\credssp.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll

PID
1436
CMD
"wmic" os get Caption /format:list
Path
C:\Windows\SysWOW64\Wbem\wmic.exe
Indicators
No indicators
Parent process
stepa.asyx.rulogin (4).exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\framedynos.dll
c:\windows\syswow64\wtsapi32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\wbem\wbemprox.dll
c:\windows\syswow64\wbemcomn.dll
c:\windows\syswow64\msxml3.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\program files (x86)\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\msvcr90.dll
c:\windows\syswow64\wbem\wbemsvc.dll
c:\windows\syswow64\wbem\fastprox.dll
c:\windows\syswow64\ntdsapi.dll
c:\windows\syswow64\wbem\xml\wmi2xml.dll

PID
1452
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\New Text Document.txt
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll

Registry activity

Total events
594
Read events
548
Write events
46
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
1856
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\SPAM2.zip
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\Desktop
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_0
4C000000730100000402000000000000D4D0C80000000000000000000000000000000000000000002E020400000000000000000039000000B402000000000000000000000000000001000000
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_1
4C000000730100000500000000000000D4D0C8000000000000000000000000000000000000000000300205000000000000000000160000002A00000000000000000000000000000002000000
1856
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_2
4C000000730100000400000000000000D4D0C8000000000000000000000000000000000000000000260204000000000000000000160000006400000000000000000000000000000003000000
1980
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
1980
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
1980
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
1980
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
1980
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
1980
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2260
stepa.asyx.rulogin (1).exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing
EnableConsoleTracing
0
2260
stepa.asyx.rulogin (1).exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\stepa_RASAPI32
EnableFileTracing
0
2260
stepa.asyx.rulogin (1).exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\stepa_RASAPI32
EnableConsoleTracing
0
2260
stepa.asyx.rulogin (1).exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\stepa_RASAPI32
FileTracingMask
4294901760
2260
stepa.asyx.rulogin (1).exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\stepa_RASAPI32
ConsoleTracingMask
4294901760
2260
stepa.asyx.rulogin (1).exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\stepa_RASAPI32
MaxFileSize
1048576
2260
stepa.asyx.rulogin (1).exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\stepa_RASAPI32
FileDirectory
%windir%\tracing
2260
stepa.asyx.rulogin (1).exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\stepa_RASMANCS
EnableFileTracing
0
2260
stepa.asyx.rulogin (1).exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\stepa_RASMANCS
EnableConsoleTracing
0
2260
stepa.asyx.rulogin (1).exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\stepa_RASMANCS
FileTracingMask
4294901760
2260
stepa.asyx.rulogin (1).exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\stepa_RASMANCS
ConsoleTracingMask
4294901760
2260
stepa.asyx.rulogin (1).exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\stepa_RASMANCS
MaxFileSize
1048576
2260
stepa.asyx.rulogin (1).exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\stepa_RASMANCS
FileDirectory
%windir%\tracing
2124
stepa.asyx.rulogin (2).exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2124
stepa.asyx.rulogin (2).exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2124
stepa.asyx.rulogin (2).exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2124
stepa.asyx.rulogin (2).exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0

Files activity

Executable files
5
Suspicious files
8
Text files
20
Unknown types
8

Dropped files

PID
Process
Filename
Type
1980
WinRAR.exe
C:\Users\admin\Desktop\SPAM2\stepa.asyx.rulogin (3).exe
executable
MD5: a6f61afc67febc0206fb63cfb432d4d8
SHA256: d5c6a18e35e7fda55eee61cb26e2137b42a17608a4d25a2324e1b3e157320ee0
1980
WinRAR.exe
C:\Users\admin\Desktop\SPAM2\stepa.asyx.rulogin (4).exe
executable
MD5: cbc1b0c5a7566d74e0ae8ad4c3aefcc0
SHA256: 9ba147ef35dc03c20b5da5ea779cc274f446ecf9cc276ea6530f13c935f3bdc2
1980
WinRAR.exe
C:\Users\admin\Desktop\SPAM2\stepa.asyx.rulogin (2).exe
executable
MD5: 03be6c8cdddeb1aeb40736dead78d5b4
SHA256: 47096080e39bd840423b99edf208b32e00d53ef3963edc289a2c10abd704547c
1980
WinRAR.exe
C:\Users\admin\Desktop\SPAM2\stepa.asyx.rulogin (1).exe
executable
MD5: 0f91ce6dbafa2051d088e01188461837
SHA256: 47aa2b91185660d49ceac2ed9f383b2afdc38767117893f18fc28e73f6648ec0
2124
stepa.asyx.rulogin (2).exe
C:\Users\admin\AppData\Local\Temp\drawing.exe
executable
MD5: 1e4284154d3101baa33e4be1f69bb83d
SHA256: c443cecb2f0d1a4877f5ea57b4e920d378dc62e174f0ff04d34c12950efaf196
2156
stepa.asyx.rulogin (4).exe
C:\Users\admin\AppData\Local\Temp\5231639c081c4fe3b3d523a2d979b738\passwords.log
text
MD5: b0cbd6567ae86c7a9edef687735253cc
SHA256: a28a71569ad4dfe0f7bb59335444deb58f05372d7bb805e67a796dcb26bfbf49
2156
stepa.asyx.rulogin (4).exe
C:\Users\admin\AppData\Local\Temp\3e50.11188b
––
MD5:  ––
SHA256:  ––
2156
stepa.asyx.rulogin (4).exe
C:\Users\admin\AppData\Local\Temp\f283.7e8e4f
sqlite
MD5: 379e18548c70dc5450018821eaf3ae0c
SHA256: 3e4d0b85421d6d9b10045d1d8d82b75aa076c4052a22a7dd9b398f7f1ea3bc59
2156
stepa.asyx.rulogin (4).exe
C:\Users\admin\AppData\Local\Temp\5231639c081c4fe3b3d523a2d979b738\Cookies\Chrome.txt
text
MD5: c396ebca97d2e86f024fe99b473d3e4e
SHA256: 43a989a5c56d528779c2fe7f41dc07bf0856d8fc5eef9384df7816195d6e4bb5
2156
stepa.asyx.rulogin (4).exe
C:\Users\admin\AppData\Local\Temp\e617.4fcc90
––
MD5:  ––
SHA256:  ––
2156
stepa.asyx.rulogin (4).exe
C:\Users\admin\AppData\Local\Temp\5231639c081c4fe3b3d523a2d979b738\screen.jpg
image
MD5: c38c6ad736d3519e7d3dad0937d9823c
SHA256: 4350b5b13b2c689fa8c1a31a7eb17ad878c4c80fdab0dddaf7f37843837107c2
1420
stepa.asyx.rulogin (3).exe
C:\Users\admin\AppData\Local\Temp\78abf4882455420bb6d85f12c4e5fec4.zip
compressed
MD5: ae9b5939913789fafad20b955d817366
SHA256: 0cb0bd3e8df8bda16e09cd27f1b30697ecf034a5e04b2ae24637c992a2692b05
1420
stepa.asyx.rulogin (3).exe
C:\Users\admin\AppData\Local\Temp\78abf4882455420bb6d85f12c4e5fec4\Desktop\pointseconomic.jpg
image
MD5: 5b9617fd6dc69dc7bfecff8689d1a338
SHA256: b42312180dd1968ca6afba1d5ea5b7fcc8881cc108a0e9747865200a9d34eac0
1420
stepa.asyx.rulogin (3).exe
C:\Users\admin\AppData\Local\Temp\0de4.0d4354
sqlite
MD5: 379e18548c70dc5450018821eaf3ae0c
SHA256: 3e4d0b85421d6d9b10045d1d8d82b75aa076c4052a22a7dd9b398f7f1ea3bc59
1420
stepa.asyx.rulogin (3).exe
C:\Users\admin\AppData\Local\Temp\78abf4882455420bb6d85f12c4e5fec4\Desktop\SPAM2.zip
compressed
MD5: d0993b2df29528ffee79d50a52bd4a08
SHA256: db29691e24f2660ddb8c7eeb4e5b50d0c96c65806ce6b94958cc57f90deaee2a
1420
stepa.asyx.rulogin (3).exe
C:\Users\admin\AppData\Local\Temp\78abf4882455420bb6d85f12c4e5fec4\Desktop\indiajanuary.jpg
image
MD5: 44452031a94b8aa37a6a347498dbb02f
SHA256: b5342beb45d07a480dcc27c302b62abfa45269f617908ecb20006b3c59e07f91
1420
stepa.asyx.rulogin (3).exe
C:\Users\admin\AppData\Local\Temp\78abf4882455420bb6d85f12c4e5fec4\Cookies\Chrome.txt
text
MD5: c396ebca97d2e86f024fe99b473d3e4e
SHA256: 43a989a5c56d528779c2fe7f41dc07bf0856d8fc5eef9384df7816195d6e4bb5
1420
stepa.asyx.rulogin (3).exe
C:\Users\admin\AppData\Local\Temp\78abf4882455420bb6d85f12c4e5fec4\passwords.log
text
MD5: b0cbd6567ae86c7a9edef687735253cc
SHA256: a28a71569ad4dfe0f7bb59335444deb58f05372d7bb805e67a796dcb26bfbf49
1420
stepa.asyx.rulogin (3).exe
C:\Users\admin\AppData\Local\Temp\3de5.72bf9c
sqlite
MD5: 379e18548c70dc5450018821eaf3ae0c
SHA256: 3e4d0b85421d6d9b10045d1d8d82b75aa076c4052a22a7dd9b398f7f1ea3bc59
1420
stepa.asyx.rulogin (3).exe
C:\Users\admin\AppData\Local\Temp\b693.f16cbc
––
MD5:  ––
SHA256:  ––
1420
stepa.asyx.rulogin (3).exe
C:\Users\admin\AppData\Local\Temp\f881.fd840e
––
MD5:  ––
SHA256:  ––
1420
stepa.asyx.rulogin (3).exe
C:\Users\admin\AppData\Local\Temp\78abf4882455420bb6d85f12c4e5fec4\screen.jpg
image
MD5: e70e401b366f0ec18e2f629b6d076448
SHA256: 12fec2ef58945005f78bfce37e9836299429e942d275e2465f9d5a75fe9acdea
2124
stepa.asyx.rulogin (2).exe
C:\Users\admin\AppData\Local\Temp\cc0421e834a74a7fb35798ccd7055ab0.zip
compressed
MD5: ef9f8a7b78831f1776c5bfc9e467ae0b
SHA256: 3730cbd75eb76848b4904d40e248dd2a5744c418d436695f81e323bc28d58c5e
2124
stepa.asyx.rulogin (2).exe
C:\Users\admin\AppData\Local\Temp\cc0421e834a74a7fb35798ccd7055ab0\Desktop\SPAM2.zip
compressed
MD5: d0993b2df29528ffee79d50a52bd4a08
SHA256: db29691e24f2660ddb8c7eeb4e5b50d0c96c65806ce6b94958cc57f90deaee2a
2124
stepa.asyx.rulogin (2).exe
C:\Users\admin\AppData\Local\Temp\cc0421e834a74a7fb35798ccd7055ab0\Desktop\pointseconomic.jpg
image
MD5: 5b9617fd6dc69dc7bfecff8689d1a338
SHA256: b42312180dd1968ca6afba1d5ea5b7fcc8881cc108a0e9747865200a9d34eac0
2124
stepa.asyx.rulogin (2).exe
C:\Users\admin\AppData\Local\Temp\cc0421e834a74a7fb35798ccd7055ab0\passwords.log
text
MD5: b0cbd6567ae86c7a9edef687735253cc
SHA256: a28a71569ad4dfe0f7bb59335444deb58f05372d7bb805e67a796dcb26bfbf49
2124
stepa.asyx.rulogin (2).exe
C:\Users\admin\AppData\Local\Temp\93b5b52d.94a3
sqlite
MD5: 379e18548c70dc5450018821eaf3ae0c
SHA256: 3e4d0b85421d6d9b10045d1d8d82b75aa076c4052a22a7dd9b398f7f1ea3bc59
2124
stepa.asyx.rulogin (2).exe
C:\Users\admin\AppData\Local\Temp\cc0421e834a74a7fb35798ccd7055ab0\Desktop\indiajanuary.jpg
image
MD5: 44452031a94b8aa37a6a347498dbb02f
SHA256: b5342beb45d07a480dcc27c302b62abfa45269f617908ecb20006b3c59e07f91
2124
stepa.asyx.rulogin (2).exe
C:\Users\admin\AppData\Local\Temp\cc0421e834a74a7fb35798ccd7055ab0\Cookies\Chrome.txt
text
MD5: c396ebca97d2e86f024fe99b473d3e4e
SHA256: 43a989a5c56d528779c2fe7f41dc07bf0856d8fc5eef9384df7816195d6e4bb5
2124
stepa.asyx.rulogin (2).exe
C:\Users\admin\AppData\Local\Temp\69ac6b6e.1cc1
sqlite
MD5: 379e18548c70dc5450018821eaf3ae0c
SHA256: 3e4d0b85421d6d9b10045d1d8d82b75aa076c4052a22a7dd9b398f7f1ea3bc59
2124
stepa.asyx.rulogin (2).exe
C:\Users\admin\AppData\Local\Temp\1a7a4ebc.8ad8
––
MD5:  ––
SHA256:  ––
2124
stepa.asyx.rulogin (2).exe
C:\Users\admin\AppData\Local\Temp\fb88b745.ae37
––
MD5:  ––
SHA256:  ––
2344
drawing.exe
C:\Users\admin\AppData\Local\Temp\cc0421e834a74a7fb35798ccd7055ab0\screen.jpg
image
MD5: 4b99f614e6abc7eedf26ab140b14383a
SHA256: a5ef647d976aa96f6f25443b1bea5a1b5597cb4b845adb48491ddfb9253f8acb
2156
stepa.asyx.rulogin (4).exe
C:\Users\admin\AppData\Local\Temp\5231639c081c4fe3b3d523a2d979b738.zip
compressed
MD5: 8ced5689a24e7aaf8b64c5dfb2d8f762
SHA256: b0b9a5657360146356eee6b4330098eafd39cef0ca6895725c9434910830ca14
2260
stepa.asyx.rulogin (1).exe
C:\Users\admin\AppData\Local\Temp\93582306dd4c46f5a14f68e0d8cbdc09.zip
compressed
MD5: 2b178180cfdfd126917a1e3d496d6785
SHA256: 2232c8133635431ece3dc51bc736a7b4e253e5495f9d19bac974f25d2d8e1269
2260
stepa.asyx.rulogin (1).exe
C:\Users\admin\AppData\Local\Temp\93582306dd4c46f5a14f68e0d8cbdc09\Desktop\indiajanuary.jpg
image
MD5: 44452031a94b8aa37a6a347498dbb02f
SHA256: b5342beb45d07a480dcc27c302b62abfa45269f617908ecb20006b3c59e07f91
2260
stepa.asyx.rulogin (1).exe
C:\Users\admin\AppData\Local\Temp\93582306dd4c46f5a14f68e0d8cbdc09\Desktop\SPAM2.zip
compressed
MD5: d0993b2df29528ffee79d50a52bd4a08
SHA256: db29691e24f2660ddb8c7eeb4e5b50d0c96c65806ce6b94958cc57f90deaee2a
2260
stepa.asyx.rulogin (1).exe
C:\Users\admin\AppData\Local\Temp\93582306dd4c46f5a14f68e0d8cbdc09\Desktop\pointseconomic.jpg
image
MD5: 5b9617fd6dc69dc7bfecff8689d1a338
SHA256: b42312180dd1968ca6afba1d5ea5b7fcc8881cc108a0e9747865200a9d34eac0
2260
stepa.asyx.rulogin (1).exe
C:\Users\admin\AppData\Local\Temp\5c6a.84edd0
sqlite
MD5: 379e18548c70dc5450018821eaf3ae0c
SHA256: 3e4d0b85421d6d9b10045d1d8d82b75aa076c4052a22a7dd9b398f7f1ea3bc59
2260
stepa.asyx.rulogin (1).exe
C:\Users\admin\AppData\Local\Temp\93582306dd4c46f5a14f68e0d8cbdc09\passwords.log
text
MD5: b0cbd6567ae86c7a9edef687735253cc
SHA256: a28a71569ad4dfe0f7bb59335444deb58f05372d7bb805e67a796dcb26bfbf49
2260
stepa.asyx.rulogin (1).exe
C:\Users\admin\AppData\Local\Temp\74ee.d876ce
sqlite
MD5: 379e18548c70dc5450018821eaf3ae0c
SHA256: 3e4d0b85421d6d9b10045d1d8d82b75aa076c4052a22a7dd9b398f7f1ea3bc59
2260
stepa.asyx.rulogin (1).exe
C:\Users\admin\AppData\Local\Temp\86c7.ab7670
––
MD5:  ––
SHA256:  ––
2260
stepa.asyx.rulogin (1).exe
C:\Users\admin\AppData\Local\Temp\93582306dd4c46f5a14f68e0d8cbdc09\Cookies\Chrome.txt
text
MD5: c396ebca97d2e86f024fe99b473d3e4e
SHA256: 43a989a5c56d528779c2fe7f41dc07bf0856d8fc5eef9384df7816195d6e4bb5
2260
stepa.asyx.rulogin (1).exe
C:\Users\admin\AppData\Local\Temp\976c.77e4a0
––
MD5:  ––
SHA256:  ––
2260
stepa.asyx.rulogin (1).exe
C:\Users\admin\AppData\Local\Temp\93582306dd4c46f5a14f68e0d8cbdc09\screen.jpg
image
MD5: 425da6432dc431dfc764353ccc150e2b
SHA256: f215e0e9e517656ae40a1a625e5fa6e5d9c70b272c5c521094f0ec55c0612903
2156
stepa.asyx.rulogin (4).exe
C:\Users\admin\AppData\Local\Temp\5231639c081c4fe3b3d523a2d979b738\Desktop\pointseconomic.jpg
image
MD5: 5b9617fd6dc69dc7bfecff8689d1a338
SHA256: b42312180dd1968ca6afba1d5ea5b7fcc8881cc108a0e9747865200a9d34eac0
2156
stepa.asyx.rulogin (4).exe
C:\Users\admin\AppData\Local\Temp\5231639c081c4fe3b3d523a2d979b738\Desktop\indiajanuary.jpg
image
MD5: 44452031a94b8aa37a6a347498dbb02f
SHA256: b5342beb45d07a480dcc27c302b62abfa45269f617908ecb20006b3c59e07f91
2156
stepa.asyx.rulogin (4).exe
C:\Users\admin\AppData\Local\Temp\c9d8.cca221
sqlite
MD5: 379e18548c70dc5450018821eaf3ae0c
SHA256: 3e4d0b85421d6d9b10045d1d8d82b75aa076c4052a22a7dd9b398f7f1ea3bc59
2156
stepa.asyx.rulogin (4).exe
C:\Users\admin\AppData\Local\Temp\5231639c081c4fe3b3d523a2d979b738\Desktop\SPAM2.zip
compressed
MD5: d0993b2df29528ffee79d50a52bd4a08
SHA256: db29691e24f2660ddb8c7eeb4e5b50d0c96c65806ce6b94958cc57f90deaee2a

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
1
Threats
28

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2156 stepa.asyx.rulogin (4).exe POST 200 178.33.33.187:80 http://stepa.asyx.ru/gate.php?hwid=7CD9E0E6&os=Windows%207&file=3&cookie=7&pswd=1&credit=0&autofill=0&wallets=0&telegram=0&id=&version=v1.2.5 DE
binary
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2260 stepa.asyx.rulogin (1).exe 178.33.33.187:80 OVH SAS DE malicious
2124 stepa.asyx.rulogin (2).exe 178.33.33.187:80 OVH SAS DE malicious
1420 stepa.asyx.rulogin (3).exe 178.33.33.187:80 OVH SAS DE malicious
2156 stepa.asyx.rulogin (4).exe 178.33.33.187:80 OVH SAS DE malicious

DNS requests

Domain IP Reputation
stepa.asyx.ru 178.33.33.187
malicious

Threats

PID Process Class Message
2260 stepa.asyx.rulogin (1).exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
2260 stepa.asyx.rulogin (1).exe A Network Trojan was detected ET TROJAN MSIL/Eredel Stealer CnC Checkin
2260 stepa.asyx.rulogin (1).exe A Network Trojan was detected MALWARE [PTsecurity] Trojan-Spy.MSIL.Agent.gen (Eredel Stealer)
2260 stepa.asyx.rulogin (1).exe A Network Trojan was detected MALWARE [PTsecurity] Trojan.PWS.Stealer.Gen.Baldr
2260 stepa.asyx.rulogin (1).exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no accept headers
2260 stepa.asyx.rulogin (1).exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
2124 stepa.asyx.rulogin (2).exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
2124 stepa.asyx.rulogin (2).exe A Network Trojan was detected ET TROJAN MSIL/Eredel Stealer CnC Checkin
2124 stepa.asyx.rulogin (2).exe A Network Trojan was detected MALWARE [PTsecurity] Trojan-Spy.MSIL.Agent.gen (Eredel Stealer)
2124 stepa.asyx.rulogin (2).exe A Network Trojan was detected MALWARE [PTsecurity] Trojan.PWS.Stealer.Gen.Baldr
2124 stepa.asyx.rulogin (2).exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no accept headers
2124 stepa.asyx.rulogin (2).exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
1420 stepa.asyx.rulogin (3).exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
1420 stepa.asyx.rulogin (3).exe A Network Trojan was detected ET TROJAN MSIL/Eredel Stealer CnC Checkin
1420 stepa.asyx.rulogin (3).exe A Network Trojan was detected MALWARE [PTsecurity] Trojan-Spy.MSIL.Agent.gen (Eredel Stealer)
1420 stepa.asyx.rulogin (3).exe A Network Trojan was detected MALWARE [PTsecurity] Trojan.PWS.Stealer.Gen.Baldr
1420 stepa.asyx.rulogin (3).exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no accept headers
1420 stepa.asyx.rulogin (3).exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
2156 stepa.asyx.rulogin (4).exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
2156 stepa.asyx.rulogin (4).exe A Network Trojan was detected ET TROJAN MSIL/Eredel Stealer CnC Checkin
2156 stepa.asyx.rulogin (4).exe A Network Trojan was detected MALWARE [PTsecurity] Trojan-Spy.MSIL.Agent.gen (Eredel Stealer)
2156 stepa.asyx.rulogin (4).exe A Network Trojan was detected MALWARE [PTsecurity] Trojan.PWS.Stealer.Gen.Baldr
2156 stepa.asyx.rulogin (4).exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no accept headers
2156 stepa.asyx.rulogin (4).exe Potentially Bad Traffic ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)

4 ETPRO signatures available at the full report

Debug output strings

Process Message
stepa.asyx.rulogin (4).exe %s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
stepa.asyx.rulogin (4).exe %s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------