File name:

Accounts.exe

Full analysis: https://app.any.run/tasks/144c6507-3bef-4519-9ed3-a0e2b2b2441f
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: October 15, 2024, 13:22:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
opendir
rat
remcos
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

386F092F96B545910A0476742B25E1BB

SHA1:

5DE0AC31F9FB6A1C6BBB29DC425B3C097394E1BC

SHA256:

FAAC5B936209215958E0B3929303E9EFC78243280203D569DB4CA7AF5C8FAB98

SSDEEP:

49152:TgjaRUVr1Y/jqhYk5r1mIfjHON26/70MGwUfnMxV9cV/Uoh:ut96/jqak5HjONzOwUfneVmV/UY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds extension to the Windows Defender exclusion list

      • per.exe (PID: 6604)

    • Starts PowerShell from an unusual location

      • per.exe (PID: 6604)

    • Connects to the CnC server

      • SndVol.exe (PID: 6876)

    • REMCOS has been detected (SURICATA)

      • SndVol.exe (PID: 6876)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Accounts.exe (PID: 1440)

    • There is functionality for taking screenshot (YARA)

      • Accounts.exe (PID: 1440)

    • Executing commands from ".cmd" file

      • Accounts.exe (PID: 1440)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 3964)
      • esentutl.exe (PID: 4476)
      • esentutl.exe (PID: 7160)
      • alpha.pif (PID: 5524)
      • alpha.pif (PID: 6172)
      • alpha.pif (PID: 7076)
      • xpha.pif (PID: 7100)
      • esentutl.exe (PID: 6244)
      • pha.pif (PID: 6960)
      • esentutl.exe (PID: 6128)
      • alpha.pif (PID: 5524)
      • alpha.pif (PID: 6888)
      • alpha.pif (PID: 1184)

    • Starts CMD.EXE for commands execution

      • Accounts.exe (PID: 1440)

    • Executable content was dropped or overwritten

      • esentutl.exe (PID: 4476)
      • esentutl.exe (PID: 7160)
      • esentutl.exe (PID: 6244)
      • Accounts.exe (PID: 1440)
      • esentutl.exe (PID: 6128)

    • Created directory related to system

      • alpha.pif (PID: 5524)

    • Starts a Microsoft application from unusual location

      • alpha.pif (PID: 5524)
      • alpha.pif (PID: 6172)
      • alpha.pif (PID: 7076)
      • alpha.pif (PID: 6888)
      • xpha.pif (PID: 7100)
      • pha.pif (PID: 6960)
      • alpha.pif (PID: 5524)
      • alpha.pif (PID: 1184)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3964)
      • alpha.pif (PID: 7076)
      • per.exe (PID: 6604)

    • Starts itself from another location

      • cmd.exe (PID: 3964)

    • Process drops legitimate windows executable

      • Accounts.exe (PID: 1440)

    • Contacting a server suspected of hosting an CnC

      • SndVol.exe (PID: 6876)

    • Checks for external IP

      • SndVol.exe (PID: 6876)

    • Connects to unusual port

      • SndVol.exe (PID: 6876)

  • INFO

    • Checks supported languages

      • Accounts.exe (PID: 1440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 530432
InitializedDataSize: 766464
UninitializedDataSize: -
EntryPoint: 0x828b0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
22
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT accounts.exe cmd.exe no specs conhost.exe no specs esentutl.exe esentutl.exe alpha.pif no specs alpha.pif no specs alpha.pif no specs xpha.pif no specs per.exe no specs per.exe no specs per.exe esentutl.exe conhost.exe no specs pha.pif no specs conhost.exe no specs alpha.pif no specs alpha.pif no specs alpha.pif no specs esentutl.exe conhost.exe no specs #REMCOS sndvol.exe

Process information

PID
CMD
Path
Indicators
Parent process
1184C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" C:\Users\Public\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
145
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1440"C:\Users\admin\AppData\Local\Temp\Accounts.exe" C:\Users\admin\AppData\Local\Temp\Accounts.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\accounts.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2484\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepha.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3912\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeesentutl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3964C:\WINDOWS\system32\cmd.exe /c ""C:\Users\Public\Libraries\ggzsczzT.cmd" "C:\Windows\SysWOW64\cmd.exeAccounts.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4476C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o C:\Windows\SysWOW64\esentutl.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\esentutl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5524C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " C:\Users\Public\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5524C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64C:\Users\Public\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
145
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5912"C:\Windows \SysWOW64\per.exe" C:\Windows \SysWOW64\per.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Exchange ActiveSync Invoker
Exit code:
3221226540
Version:
10.0.22621.1 (WinBuild.160101.0800)
Modules
Images
c:\windows \syswow64\per.exe
c:\windows\system32\ntdll.dll
5912\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeesentutl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 663
Read events
6 656
Write events
7
Delete events
0

Modification events

(PID) Process:(1440) Accounts.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Tzzcszgg
Value:
C:\Users\Public\Tzzcszgg.url
(PID) Process:(6876) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\store-XCQCWS
Operation:writeName:exepath
Value:
7CC707C7650961546EE5404D1ED94D14456E9AB044E88FB23EC8E35F719A14BF2E5D0D6A34F87641ACBE7C2B04027AA273AA3DB33C94ADCCF7BA6BF1A48D
(PID) Process:(6876) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\store-XCQCWS
Operation:writeName:licence
Value:
B4C1AE0E71647608CC0F24585057F1E5
(PID) Process:(6876) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\store-XCQCWS
Operation:writeName:time
Value:
(PID) Process:(6876) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6876) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6876) SndVol.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
6
Suspicious files
3
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
7160esentutl.exeC:\Users\Public\xpha.pifexecutable
MD5:B3624DD758CCECF93A1226CEF252CA12
SHA256:4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
6244esentutl.exeC:\Users\Public\pha.pifexecutable
MD5:2E5A8590CF6848968FC23DE3FA1E25F1
SHA256:9785001B0DCF755EDDB8AF294A373C0B87B2498660F724E76C4D53F9C217C7A3
1440Accounts.exeC:\Windows \SysWOW64\NETUTILS.dllexecutable
MD5:6D23FE871B2064C6D13580A5745F23CB
SHA256:C835F2A1234B62AB7684694AF378F62770903D07D6FDFBE3A371509E2B4CCC67
6960pha.pifC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vut4ggn4.3i3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6960pha.pifC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4x2vzsks.ha5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1440Accounts.exeC:\Users\Public\Libraries\Tzzcszggbinary
MD5:B01CBB6440DF4198B59FF792B7354D49
SHA256:259C172F8C2E2C346B1C40B953E85AF7692FD2745D171485FE4A6541B272A065
1440Accounts.exeC:\Users\Public\Tzzcszgg.urltext
MD5:08AC394E2A337CEA0E8D97591887DD26
SHA256:058DD5DBCCC61901C95344FBEF4CFE5D7107148BB5EEDF9F99B3332E7365E7B4
6128esentutl.exeC:\Users\Public\Libraries\Tzzcszgg.PIFexecutable
MD5:386F092F96B545910A0476742B25E1BB
SHA256:FAAC5B936209215958E0B3929303E9EFC78243280203D569DB4CA7AF5C8FAB98
6876SndVol.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\json[1].jsonbinary
MD5:7880226E1DD43882E2EC1C0890AD7E90
SHA256:1DA41314EE93BC32335CFFEEB6DFD4D5D861E17B558B5BBD9C718F7572FEDF6D
4476esentutl.exeC:\Users\Public\alpha.pifexecutable
MD5:D3348AC2130C7E754754A6E9CB053B09
SHA256:E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
57
DNS requests
21
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
624
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4360
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1440
Accounts.exe
GET
200
64.176.178.205:80
http://64.176.178.205/test/233_Tzzcszggyfg
unknown
unknown
948
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6584
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6584
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4360
SearchApp.exe
104.126.37.162:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.186.78
whitelisted
www.bing.com
  • 104.126.37.162
  • 104.126.37.178
  • 104.126.37.179
  • 104.126.37.170
  • 104.126.37.177
  • 104.126.37.163
  • 104.126.37.161
  • 104.126.37.171
  • 104.126.37.160
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.140
  • 40.126.32.134
  • 20.190.160.22
  • 40.126.32.138
  • 40.126.32.74
  • 20.190.160.17
  • 40.126.32.76
whitelisted
th.bing.com
  • 104.126.37.146
  • 104.126.37.153
  • 104.126.37.144
  • 104.126.37.161
  • 104.126.37.160
  • 104.126.37.139
  • 104.126.37.152
  • 104.126.37.155
  • 104.126.37.145
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted

Threats

PID
Process
Class
Message
6876
SndVol.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Checkin
6876
SndVol.exe
Malware Command and Control Activity Detected
ET MALWARE Remcos 3.x Unencrypted Server Response
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Accounts.exe