File name:

Accounts.exe

Full analysis: https://app.any.run/tasks/144c6507-3bef-4519-9ed3-a0e2b2b2441f
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: October 15, 2024, 13:22:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
opendir
rat
remcos
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

386F092F96B545910A0476742B25E1BB

SHA1:

5DE0AC31F9FB6A1C6BBB29DC425B3C097394E1BC

SHA256:

FAAC5B936209215958E0B3929303E9EFC78243280203D569DB4CA7AF5C8FAB98

SSDEEP:

49152:TgjaRUVr1Y/jqhYk5r1mIfjHON26/70MGwUfnMxV9cV/Uoh:ut96/jqak5HjONzOwUfneVmV/UY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts PowerShell from an unusual location

      • per.exe (PID: 6604)

    • Adds extension to the Windows Defender exclusion list

      • per.exe (PID: 6604)

    • REMCOS has been detected (SURICATA)

      • SndVol.exe (PID: 6876)

    • Connects to the CnC server

      • SndVol.exe (PID: 6876)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • Accounts.exe (PID: 1440)

    • Reads security settings of Internet Explorer

      • Accounts.exe (PID: 1440)

    • Executing commands from ".cmd" file

      • Accounts.exe (PID: 1440)

    • Starts CMD.EXE for commands execution

      • Accounts.exe (PID: 1440)

    • Likely accesses (executes) a file from the Public directory

      • esentutl.exe (PID: 7160)
      • esentutl.exe (PID: 4476)
      • cmd.exe (PID: 3964)
      • alpha.pif (PID: 5524)
      • alpha.pif (PID: 6172)
      • alpha.pif (PID: 7076)
      • xpha.pif (PID: 7100)
      • esentutl.exe (PID: 6244)
      • pha.pif (PID: 6960)
      • alpha.pif (PID: 6888)
      • alpha.pif (PID: 1184)
      • esentutl.exe (PID: 6128)
      • alpha.pif (PID: 5524)

    • Executable content was dropped or overwritten

      • esentutl.exe (PID: 4476)
      • esentutl.exe (PID: 7160)
      • Accounts.exe (PID: 1440)
      • esentutl.exe (PID: 6244)
      • esentutl.exe (PID: 6128)

    • Starts a Microsoft application from unusual location

      • alpha.pif (PID: 5524)
      • alpha.pif (PID: 7076)
      • alpha.pif (PID: 6172)
      • xpha.pif (PID: 7100)
      • pha.pif (PID: 6960)
      • alpha.pif (PID: 5524)
      • alpha.pif (PID: 6888)
      • alpha.pif (PID: 1184)

    • Created directory related to system

      • alpha.pif (PID: 5524)

    • Starts itself from another location

      • cmd.exe (PID: 3964)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3964)
      • alpha.pif (PID: 7076)
      • per.exe (PID: 6604)

    • Process drops legitimate windows executable

      • Accounts.exe (PID: 1440)

    • Contacting a server suspected of hosting an CnC

      • SndVol.exe (PID: 6876)

    • Checks for external IP

      • SndVol.exe (PID: 6876)

    • Connects to unusual port

      • SndVol.exe (PID: 6876)

  • INFO

    • Checks supported languages

      • Accounts.exe (PID: 1440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 530432
InitializedDataSize: 766464
UninitializedDataSize: -
EntryPoint: 0x828b0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
22
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT accounts.exe cmd.exe no specs conhost.exe no specs esentutl.exe esentutl.exe alpha.pif no specs alpha.pif no specs alpha.pif no specs xpha.pif no specs per.exe no specs per.exe no specs per.exe esentutl.exe conhost.exe no specs pha.pif no specs conhost.exe no specs alpha.pif no specs alpha.pif no specs alpha.pif no specs esentutl.exe conhost.exe no specs #REMCOS sndvol.exe

Process information

PID
CMD
Path
Indicators
Parent process
1184C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" C:\Users\Public\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
145
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1440"C:\Users\admin\AppData\Local\Temp\Accounts.exe" C:\Users\admin\AppData\Local\Temp\Accounts.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\accounts.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2484\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepha.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3912\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeesentutl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3964C:\WINDOWS\system32\cmd.exe /c ""C:\Users\Public\Libraries\ggzsczzT.cmd" "C:\Windows\SysWOW64\cmd.exeAccounts.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4476C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o C:\Windows\SysWOW64\esentutl.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\esentutl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5524C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " C:\Users\Public\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5524C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64C:\Users\Public\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
145
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5912"C:\Windows \SysWOW64\per.exe" C:\Windows \SysWOW64\per.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Exchange ActiveSync Invoker
Exit code:
3221226540
Version:
10.0.22621.1 (WinBuild.160101.0800)
Modules
Images
c:\windows \syswow64\per.exe
c:\windows\system32\ntdll.dll
5912\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeesentutl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 663
Read events
6 656
Write events
7
Delete events
0

Modification events

(PID) Process:(1440) Accounts.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Tzzcszgg
Value:
C:\Users\Public\Tzzcszgg.url
(PID) Process:(6876) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\store-XCQCWS
Operation:writeName:exepath
Value:
7CC707C7650961546EE5404D1ED94D14456E9AB044E88FB23EC8E35F719A14BF2E5D0D6A34F87641ACBE7C2B04027AA273AA3DB33C94ADCCF7BA6BF1A48D
(PID) Process:(6876) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\store-XCQCWS
Operation:writeName:licence
Value:
B4C1AE0E71647608CC0F24585057F1E5
(PID) Process:(6876) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\store-XCQCWS
Operation:writeName:time
Value:
(PID) Process:(6876) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6876) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6876) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
6
Suspicious files
3
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6244esentutl.exeC:\Users\Public\pha.pifexecutable
MD5:2E5A8590CF6848968FC23DE3FA1E25F1
SHA256:9785001B0DCF755EDDB8AF294A373C0B87B2498660F724E76C4D53F9C217C7A3
6960pha.pifC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vut4ggn4.3i3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1440Accounts.exeC:\Users\Public\Libraries\Tzzcszggbinary
MD5:B01CBB6440DF4198B59FF792B7354D49
SHA256:259C172F8C2E2C346B1C40B953E85AF7692FD2745D171485FE4A6541B272A065
4476esentutl.exeC:\Users\Public\alpha.pifexecutable
MD5:D3348AC2130C7E754754A6E9CB053B09
SHA256:E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD
1440Accounts.exeC:\Users\Public\Tzzcszgg.urltext
MD5:08AC394E2A337CEA0E8D97591887DD26
SHA256:058DD5DBCCC61901C95344FBEF4CFE5D7107148BB5EEDF9F99B3332E7365E7B4
1440Accounts.exeC:\Users\Public\Libraries\ggzsczzT.cmdtext
MD5:B87F096CBC25570329E2BB59FEE57580
SHA256:D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
7160esentutl.exeC:\Users\Public\xpha.pifexecutable
MD5:B3624DD758CCECF93A1226CEF252CA12
SHA256:4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
1440Accounts.exeC:\Users\Public\Libraries\PNOtext
MD5:E65F6D7F08D9245461E19A296FBEA585
SHA256:4C50D27C5031D7F039FE61DBD05B1E84B02D76786F79C569BE88AA04C95AA417
6960pha.pifC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4x2vzsks.ha5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1440Accounts.exeC:\Windows \SysWOW64\per.exeexecutable
MD5:869640D0A3F838694AB4DFEA9E2F544D
SHA256:0DB4D3FFDB96D13CF3B427AF8BE66D985728C55AE254E4B67D287797E4C0B323
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
57
DNS requests
21
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
624
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
948
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6584
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6876
SndVol.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
malicious
6584
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4360
SearchApp.exe
104.126.37.162:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.186.78
whitelisted
www.bing.com
  • 104.126.37.162
  • 104.126.37.178
  • 104.126.37.179
  • 104.126.37.170
  • 104.126.37.177
  • 104.126.37.163
  • 104.126.37.161
  • 104.126.37.171
  • 104.126.37.160
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.140
  • 40.126.32.134
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.74
  • 20.190.160.17
  • 40.126.32.76
whitelisted
th.bing.com
  • 104.126.37.146
  • 104.126.37.153
  • 104.126.37.144
  • 104.126.37.161
  • 104.126.37.160
  • 104.126.37.139
  • 104.126.37.152
  • 104.126.37.155
  • 104.126.37.145
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted

Threats

PID
Process
Class
Message
6876
SndVol.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Checkin
6876
SndVol.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Server Response
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Accounts.exe