General Info

File name

fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

Full analysis
https://app.any.run/tasks/34fe4c3c-1a3f-442b-b333-f263dabfcc34
Verdict
Malicious activity
Analysis date
3/14/2019, 23:41:44
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ramnit
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5

ff5e1f27193ce51eec318714ef038bef

SHA1

b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256

fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SSDEEP

1536:Q+hzRsibKplyXTq8OGRnsPFG+RODTb7MXL5uXZnzE:bROzoTq0+RO7IwnY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Connects to CnC server
  • iexplore.exe (PID: 928)
RAMNIT was detected
  • iexplore.exe (PID: 928)
Changes the login/logoff helper path in the registry
  • iexplore.exe (PID: 928)
Executable content was dropped or overwritten
  • fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320.exe (PID: 3012)
Starts Internet Explorer
  • DesktopLayer.exe (PID: 3620)
Creates files in the program directory
  • iexplore.exe (PID: 928)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.dll
|   Win32 Dynamic Link Library (generic) (34.2%)
.exe
|   Win32 Executable (generic) (23.5%)
.exe
|   Win16/32 Executable Delphi generic (10.8%)
.exe
|   Clipper DOS Executable (10.5%)
.exe
|   Generic Win/DOS Executable (10.4%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2008:02:12 12:02:20+01:00
PEType:
PE32
LinkerVersion:
7.4
CodeSize:
57344
InitializedDataSize:
4096
UninitializedDataSize:
122880
EntryPoint:
0x2c030
OSVersion:
10
ImageVersion:
8.1
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
106.42.73.61
ProductVersionNumber:
106.42.73.61
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Windows NT 32-bit
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
CompanyName:
SOFTWIN S.R.L.
FileDescription:
BitDefender Management Console
FileVersion:
106.42.73.61
InternalName:
фжзрюкшэщ
LegalCopyright:
2528-6142
OriginalFileName:
nedwp.exe
ProductName:
люзанх
ProductVersion:
106.42.73.61
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
12-Feb-2008 11:02:20
Detected languages
English - United States
Russian - Russia
CompanyName:
SOFTWIN S.R.L.
FileDescription:
BitDefender Management Console
FileVersion:
106.42.73.61
InternalName:
фжзрюкшэщ
LegalCopyright:
2528-6142
OriginalFilename:
nedwp.exe
ProductName:
люзанх
ProductVersion:
106.42.73.61
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000100
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
12-Feb-2008 11:02:20
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
UPX0 0x00001000 0x0001E000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
UPX1 0x0001F000 0x0000E000 0x0000D200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.95361
.rsrc 0x0002D000 0x00001000 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.43088
Resources
1

Imports
    KERNEL32.DLL

    SHELL32.DLL

    USER32.DLL

Exports

    No exports.

Screenshots

Processes

Total processes
34
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

+
drop and start start fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320.exe desktoplayer.exe no specs #RAMNIT iexplore.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3012
CMD
"C:\Users\admin\AppData\Local\Temp\fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320.exe"
Path
C:\Users\admin\AppData\Local\Temp\fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
SOFTWIN S.R.L.
Description
BitDefender Management Console
Version
106.42.73.61
Modules
Image
c:\users\admin\appdata\local\temp\fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\users\admin\microsoft\desktoplayer.exe

PID
3620
CMD
C:\Users\admin\Microsoft\DesktopLayer.exe
Path
C:\Users\admin\Microsoft\DesktopLayer.exe
Indicators
No indicators
Parent process
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\microsoft\desktoplayer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\apphelp.dll

PID
928
CMD
"C:\Program Files\Internet Explorer\iexplore.exe"
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
DesktopLayer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll

Registry activity

Total events
182
Read events
3
Write events
179
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
928
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
c:\windows\system32\userinit.exe,,c:\users\admin\microsoft\desktoplayer.exe

Files activity

Executable files
1
Suspicious files
0
Text files
116
Unknown types
0

Dropped files

PID
Process
Filename
Type
3012
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320.exe
C:\Users\admin\Microsoft\DesktopLayer.exe
executable
MD5: ff5e1f27193ce51eec318714ef038bef
SHA256: fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\POL\license.html
xml
MD5: 2353dc43e6283dd3fbbe00e2f635e90d
SHA256: 462f7fc5dac6b3601b7f33aabbbeaac40c50d52a89a210d7d8e14ee8f41a2255
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Java\jre1.8.0_92\Welcome.html
html
MD5: a9d6bbf109689180993dfe15e5fd7929
SHA256: 0e69c613e1a016851ce9336a44b02b41b1c2bf634223a49b3a31a5e4c22ff508
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\FileZilla FTP Client\GPL.html
html
MD5: e8ea988d18c27cfb4f57f5f1fe61e123
SHA256: 8e2f0549f8b814a3712486ce27be492e6a01906880f6099e88ed8f5b1aa0c18e
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Viktigt.htm
html
MD5: 86d8ea6d2b2702ede9b769ce4632d889
SHA256: 2ec1943613dbc93d17b7310e9c6aa33780efe5230ee610c02700160b2fc21e1b
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Viktig.htm
html
MD5: ebd6e5040b2eafae3966106dbbf44d27
SHA256: f6450815e3c9ca6c1126e0df9136b50aed003a119348debedd00f1442ab939fc
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Vigtigt.htm
html
MD5: a89f2180107caa87a3f11d0ef06425a7
SHA256: 2c508d73cf86e1f6c69bb97bcb961b884d53b56e05f329d8e2db97e1065fe8dc
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeUKR.htm
html
MD5: a939b46f0512e99c5254f69517a24d3b
SHA256: 00c6bc7a68c1ac9cd0fbef33ac5c6b9ca83d4e88f380182d98aa373791634d01
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeSKY.htm
html
MD5: bab42c8b33b9a32119f2f518dc0592d5
SHA256: f1deedc93fa9eee2506cec41088878a54fc31628534863f903b3f6ec6d81ca13
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeRUS.htm
html
MD5: 3541824ea06528373b0e924a029747bf
SHA256: be38777c37211176bcb53b7949dd4eea3b587a0c1bdf6c38d299bda92e1f1b91
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeRUM.htm
html
MD5: 32095e3b629b351be893d0c3e76fbedd
SHA256: 8231ff18339c65de4327bcb0b1289e01fca1409abd084caa874ef8c582f9ea0e
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMePOL.htm
html
MD5: 22c95ece4fe9518d0e7e907afccbf996
SHA256: acae1ce67fbbbf5d8d19b6ddc2422c65619c90b9e9822ebd8e819ec82915b724
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeK.htm
html
MD5: 29e3f049f52c9fc4231085ca38479248
SHA256: d2ba01a7575752a950be17bbd666bc2269d7e06f7ad2e9368b8c206d750bfd7d
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeJ.htm
html
MD5: 29c93b3c0f5a3d468dee444b00c65a29
SHA256: 0ee1c43f993e76c597af206243aeb0175afdd38f28e162c1b3c1f6553424396c
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeHUN.htm
html
MD5: f71d007abe14a30a5742b13cbf547d1d
SHA256: cc35303493390c05a8ae027ed9c3cf904c95dba666d3a85170c1e5986af6be91
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeHRV.htm
html
MD5: 780b6d2bac3e2776e354b11ccbdd528c
SHA256: 9cf74118da04cbb57e067f3f89d140d7b9dc235aae23f2be7e79c88dba61b823
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeCZE.htm
html
MD5: bfc80e5fa436bd28e02f70883cc4eca0
SHA256: d004cf13deacf346816289f2dbe1d7cc1a41d878215d4f1dcd2a34a71d53a543
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeCT.htm
html
MD5: 7f32eba7b2d2ac5c010470dcb002bf64
SHA256: 8f88491f3025f40c592577c9802448083ca64361c4d8dc958f100182a5c46aad
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMeCS.htm
html
MD5: a06cdbc9f8705a0ee562d11af9a97b33
SHA256: 47e1985118790e8a371ff66e5923e2b3d5e578fdd85d2bbafd7fd382bf75bd67
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\ReadMe.htm
html
MD5: 73228cb50996251594a1d0c8aa7416ed
SHA256: 94ccbe91489635345ba6cb4012c43e5d5e9337cc8ca774e6f8bb8f14d9947593
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html
html
MD5: e461f6be7d27e5ada32e5572dd335ade
SHA256: 7dd9654549746849865aaa23c0576b535aea866c436dccd88ca827ee712bc67b
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\UKR\license.html
xml
MD5: fa8464eb1e9280ca1b9dd83b68018f3d
SHA256: 6e7fbe6a197b0c922619674c09da68fdee3847acc250fda9ee7b259e8724390a
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\TUR\license.html
xml
MD5: 3d650fdd49017db30db5357954ac8462
SHA256: 8f2ee9e9709115d741fba9cfbbe5b8b61a458f9f1c99a2e222f3e0f96ada4178
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\SVE\license.html
xml
MD5: 7848ce9a56bfae051bf1ceb392c944c8
SHA256: 30d5a9c0e79022b1760ae4e554595c5e2433b1a21f6c945863412922e19e26ce
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\SUO\license.html
xml
MD5: e724366df7aecee3a81a19ad7fab98b7
SHA256: 67038e6e59518b9aff9435cae0f6e6265828d8b4579bb642af2736e96966ab01
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\SLV\license.html
xml
MD5: 4479b78236b046e42e7121b3418acce1
SHA256: f6e88fd0e87c1c2b046f8a193e556df9fe05e2d8605bd9123f09d05a4a82e742
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\SKY\license.html
xml
MD5: 1722466d63790384a99e581cb8988e5d
SHA256: 49a6c5c87974e7c0f29fc0bcc2b5bfaa35062a3cfb85b9180eb87e033b1b348b
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\RUS\license.html
xml
MD5: 412baf2276cf889a3333a0aba7509878
SHA256: 57b056369918654b18fc00bb9b4a63c3ecc289c5b6b3b4a3326ef28365a05420
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\RUM\license.html
xml
MD5: ace333ce2cb847d3eafb1df2253a06d5
SHA256: 53478592aea009c979bc4bac9c198460e25cd75b450ee7f988753c60ddd943f5
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\PTB\license.html
xml
MD5: 34977c8832a58ed84f213be15b33ad23
SHA256: efa0fdaa68dd1a4e434a9ac8b920b9872b75ae433362faa7c8a93a3b2a840cfe
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Microsoft\Skype for Desktop\third-party_attributions.html
html
MD5: 10d92c807a5e2d2b6d22c003e3ad0285
SHA256: a2a53fae9de17974f973b1bcd13c4b958412d5494bccd90b2dd7d4e68e3b0bf2
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\NOR\license.html
xml
MD5: 5c0315ab581cd2ccd0fb5102ceb1f193
SHA256: c7de7b5a4a42c5f7b675312f3a2b01d5093bf1f36df632f12f729c81a41d9a80
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\NLD\license.html
xml
MD5: bfcaab2e9eefdff5701ec4c1008515c5
SHA256: 86ba34955a5d75d56e377faeb372110918a330d26b843de21416e4975cd38de9
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\KOR\license.html
xml
MD5: 58ee0e05e0714555dd5a0b243bd5bf23
SHA256: 292ab201ccdaa5744870e09f8d29f48677d7150d73c0b947bfa227e32fffec95
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\JPN\license.html
xml
MD5: a505971bf0ce63908b403ced8e99a51c
SHA256: f941646494d87663ee60d096c92a3251da2bc64714a16da4930166858830040c
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\ITA\license.html
xml
MD5: 4488635bd8ca237fe6696a274e17e04b
SHA256: 73adb549e876a2411498f57fac1ca227ff00086a6106f161d3df6e4fbb09f10f
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\HUN\license.html
xml
MD5: 87f043a5e79f9f6724c74e599025e42c
SHA256: de8ebbeb05cf593c0f2b0666c7f960c858d2537c84f1bda43a06971f516f2b7d
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\HRV\license.html
xml
MD5: 0d2386cb7c5447a7fd6a19684108b4d4
SHA256: 97a6557ac0ad211af2d7b585180e5eac519ff7dfd5d88d0597128ca87a1b00e8
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\FRA\license.html
xml
MD5: adf9b7e8783d38b9194fe9d0225642f2
SHA256: bbef267aa95bfc7688506b4839ddf58aa9ae3edbfdd68e6e85c0dd2cdbf51864
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\EUQ\license.html
xml
MD5: a7d7baea06efde1192bce5db9dd440c6
SHA256: cdfd3475eeffbd96933e32a1ed9bd2043cafab46d23bee79d399708098a0f84c
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\ESP\license.html
xml
MD5: c516f4f59040dffe4e330a0e01c77e5e
SHA256: 786e2e65c34da30088a1e9ea3be52b0ae6280bc4ab1f2ebd6023cd90c2441d33
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html
xml
MD5: d33ccb3422af0c71771939217fc47759
SHA256: 7ffa06987dc30b3b86d2308bbbbbc76e98a33bfa1f15c7c333a0a3ec10108377
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\DEU\license.html
xml
MD5: 88d23eb81230cf2953891bcdaacf971b
SHA256: 0d9765527047fbb6bb515cd10add7473999f23a6d3f37e7352cb0a4e5f4039c3
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\DAN\license.html
xml
MD5: 4a7294f5f2ef29591c7ada018783985b
SHA256: 9db7360661300ba7cd9547950860b7d8cd634a655e475a28bbc0eeeb29848333
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CZE\license.html
xml
MD5: 68f8164fe10187cf5e5a59231473ceb9
SHA256: 49872cd2b3cd7300d7d321b1edcb840d5531133fc78984c5ad27cedd6b5ff933
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CHT\license.html
xml
MD5: 909c2bef1cb3b9c5383dc566961b3e4c
SHA256: 98d29ced4aed84e21724b07b18e7895cadaedfe38b3bada73ce3c6ca8e9ccd3e
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CHS\license.html
xml
MD5: 68a3f112c4d71284ae0b4ab1f691d7a0
SHA256: c1da768a291f0f1691bbe933c020b79815f458d1b77c689df10b89072f870612
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CAT\license.html
xml
MD5: eff1c69346c2497a5ae6ec7fcc2c4477
SHA256: 0605c364dea456ff09f7f6ceea18c1ffbe805d2747943d8aa6c94927bd2d8de8
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LueMinut.htm
html
MD5: 06ee95a60459e8b22ea76f1be1a619e3
SHA256: 8a17f941dbd591c215422998f8d098742d1bf7d736c927f3e37217f545420416
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Llegiu-me.htm
html
MD5: 439c71c59341e5e518d0eabc4099a24b
SHA256: 419bce4cd535a08fd240849436101579fc6a5464690d166e3e7a8eed87f12293
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Lisezmoi.htm
html
MD5: 785edfa144f16a7f0fc2933a97919641
SHA256: d6811444120985acdbfdc5943183733d8ca3c800b1c6009753a81c2e5ef3253b
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Liesmich.htm
html
MD5: 3fe5c54f7bdc00c83c49c27c9241fc80
SHA256: c65c0c1406867b92bf4590173628035fae1ecda06b222941b564b647f622917e
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LeiaMe.htm
html
MD5: 37f3d4cb431cec9af2f69d87fe8a2f64
SHA256: 590e6dbb8df77fe6e57894632fa6cb28c7b086704b0e7f9a348a95651310fd8e
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Leggimi.htm
html
MD5: 7bfd7d6bb6eac5462c4f9e370f7a6f80
SHA256: 84e5d8d48334df15bb9a99c858da7d56268e14eec1058f836bf6b4dc9de41c0d
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LeesMij.htm
html
MD5: 306f4a37abaf653e02812b4cc1e71c1b
SHA256: b6e495d6e2a2cfe5c82361c881311bab1bab6c9b8908fed6eee7f64203df2b78
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Leame.htm
html
MD5: 5079afa6a352afe6d89c9cf78eaf3644
SHA256: 34f530dc85be9889f4acc3cd32b7038542eda595ec82829a32aa1ea4171bb63a
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\IrakHau.htm
html
MD5: a6851d600250bf93716fd1721e509697
SHA256: 3b4de405392b27b611e9d820857d221be34873a4d28ae2ddbe760c78440011ca
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Berime.htm
html
MD5: cbadf7509f16bf3620ac5a483e4cbb1c
SHA256: 1f58f6f2330711369236a596e37b19f695c2677bb363c9a59e3a70ac220e95fb
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Benioku.htm
html
MD5: a491201ab7305e2c71d90cb6cbbeeaa1
SHA256: 826444c3d91cb3694a2256b0d5470553faab1b70d0008a3294554875015bf0bc
928
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Microsoft\Skype for Desktop\LICENSES.chromium.html
html
MD5: ad7a4b10d8c83cfbbc175978d6a791c8
SHA256: 82c2c82b67634f6f34effa308e15804869e7a5acf61dbe1a7f378d9be201ee6a

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
3
Threats
6

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
928 iexplore.exe 89.185.44.100:443 Claranet Ltd FR suspicious
928 iexplore.exe 172.217.21.238:80 Google Inc. US whitelisted
928 iexplore.exe 172.217.18.14:80 Google Inc. US whitelisted

DNS requests

Domain IP Reputation
fget-career.com No response malicious
google.com 172.217.21.238
whitelisted

Threats

PID Process Class Message
928 iexplore.exe A Network Trojan was detected ET TROJAN Win32/Ramnit Checkin
928 iexplore.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Ramnit Checkin
928 iexplore.exe A Network Trojan was detected ET TROJAN Win32/Ramnit Checkin
928 iexplore.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Ramnit Checkin
928 iexplore.exe A Network Trojan was detected MALWARE [PTsecurity] Banker Ramnit CnC Connection

1 ETPRO signatures available at the full report

Debug output strings

No debug info.