General Info

File name

15042019-FHR-YU.PDF.Z

Full analysis
https://app.any.run/tasks/8d1b8177-b3b0-443a-9bf0-17cec56799b1
Verdict
Malicious activity
Analysis date
4/15/2019, 11:26:03
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

rat

nanocore

Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

f13dbd1002ac4ae1b1f2e725e6caac27

SHA1

dec722384951596ef898b4889c55272fff97ccf0

SHA256

013bd1655536c868b75d70145e8adfcd09d8d0e33be16543ee65ca0ecf2755c4

SSDEEP

24576:e9+7YRLN7S/oc0edemGI9MJSiRz31J0cvW:eL/7QocZemGhP3dW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • kdg.exe (PID: 552)
  • RegSvcs.exe (PID: 3256)
  • 15042019-FHR-YU.exe (PID: 3272)
  • kdg.exe (PID: 2828)
NanoCore was detected
  • RegSvcs.exe (PID: 3256)
Changes the autorun value in the registry
  • RegSvcs.exe (PID: 3256)
  • kdg.exe (PID: 552)
Executable content was dropped or overwritten
  • RegSvcs.exe (PID: 3256)
  • WinRAR.exe (PID: 2912)
  • 15042019-FHR-YU.exe (PID: 3272)
Creates files in the user directory
  • RegSvcs.exe (PID: 3256)
Application launched itself
  • kdg.exe (PID: 2828)
Drop AutoIt3 executable file
  • 15042019-FHR-YU.exe (PID: 3272)
Dropped object may contain Bitcoin addresses
  • kdg.exe (PID: 2828)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
36
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

+
drop and start start drop and start winrar.exe 15042019-fhr-yu.exe kdg.exe no specs kdg.exe #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2912
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\15042019-FHR-YU.PDF.Z.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\rar$exa2912.39045\15042019-fhr-yu.exe
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll

PID
3272
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa2912.39045\15042019-FHR-YU.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa2912.39045\15042019-FHR-YU.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
NVIDIA Corporation
Description
NVIDIA Container
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa2912.39045\15042019-fhr-yu.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\00265295\kdg.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
2828
CMD
"C:\Users\admin\AppData\Local\Temp\00265295\kdg.exe" bdh=aas
Path
C:\Users\admin\AppData\Local\Temp\00265295\kdg.exe
Indicators
No indicators
Parent process
15042019-FHR-YU.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\00265295\kdg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
552
CMD
C:\Users\admin\AppData\Local\Temp\00265295\kdg.exe C:\Users\admin\AppData\Local\Temp\00265295\VDIOZ
Path
C:\Users\admin\AppData\Local\Temp\00265295\kdg.exe
Indicators
Parent process
kdg.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\00265295\kdg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
3256
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
kdg.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll

Registry activity

Total events
830
Read events
800
Write events
30
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2912
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\15042019-FHR-YU.PDF.Z.rar
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\Desktop
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C8000000000000000000000000003C0102000000000039000000B40200000000000001000000
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000003E01020000000000160000002A0000000000000002000000
2912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000160106000000000016000000640000000000000003000000
3272
15042019-FHR-YU.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3272
15042019-FHR-YU.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
552
kdg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdateR.exe
C:\Users\admin\AppData\Local\Temp\00265295\kdg.exe C:\Users\admin\AppData\Local\Temp\00265295\BDH_AA~1
3256
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe

Files activity

Executable files
3
Suspicious files
0
Text files
51
Unknown types
0

Dropped files

PID
Process
Filename
Type
3256
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
executable
MD5: be5073ae05e68612ba0fc1a3d339e64c
SHA256: 1735ba356794975169a93ee2babd33862229a1842c6e2c6a0b67366f5856894e
2912
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2912.39045\15042019-FHR-YU.exe
executable
MD5: a5bf52452c809bd059119596d52a7b27
SHA256: 495e768b50c24b1f152b3d9c1e96c23ae301a62884d6619f0318eb1c7e44cbba
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\kdg.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\uhf.ppt
text
MD5: 6282e7df1b1837bd3bda783ca132bd1a
SHA256: 8868ca9ce86d9f4c7c2a5b770338469347d0bb49c6e9d85fcd8c46a22ebb1586
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\igl.bmp
text
MD5: a16a455629741f16374168ec5519cd12
SHA256: c7600c0da10d9cae0c2028ec7f4f7dfbbe947c68fcdce80400f4fe7e28aa8e93
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\gsb.xl
text
MD5: 1bb501cf9efd78654d7aa03da5a7d9e4
SHA256: ce0beebf88e9857ce5775730e3e8cda3fb8ce31138ae8b519105d8da5d0702fb
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\fna.docx
text
MD5: 54c8c8beb14bdb57c8c767cd97ef5255
SHA256: f34c5138e17f989545f10dff638cbef1f8d0b95ad8d3cd53ec1e7d31d417559d
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\wip.docx
text
MD5: efdbd7332e610fa7f885bd3a40c0f7bb
SHA256: 80413c76169e0ea24c9f42a2ef143404468e5d61e969c073cc194b22b0b4451d
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\xtl.ico
text
MD5: d1ae4e08024115cd86471e7d9d83f781
SHA256: a953ffce6c3b205338bbf3614eae696218061075fa265c40b72c9b8354ec9df6
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\tdx.mp3
text
MD5: c938ac4ba763bf57f9cdf7192d2f5287
SHA256: e9c089bc3d6ed7a09e87e1a8aa47cbc92b2d9cad73a8f4561097fe5b9528c820
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\ser.dat
text
MD5: ab837fd73468ff5960ed29b6682275d2
SHA256: 32c0e3a3729a7ccec1bb3514f1432cfe887129a77ed5f19d0a5d3c40ccdfd82f
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\cfu.docx
text
MD5: 2ed0a09546c07d3a9c2420b4d80a1781
SHA256: 47b460018f69c17139d9a7a8e0a839fbf3c9d24fa79fd6ff1ba26bbaf3e7c620
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\emp.ico
text
MD5: 2937ac6a7f3fc2abea5104b385e8e219
SHA256: 62775dbca8bf18bc8ce970bac706bd0674906b40ce0e8f8bc5960ae27bda246b
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\axj.xl
text
MD5: 70d04f9f07f43cbbedda088d5820866b
SHA256: 839a6e60401dbecf097d7c62ea8dff678c4258b0a7c91668e5c65e4b82dbf557
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\vbv.ppt
text
MD5: 01b282448237ee85b47975aae6afaedb
SHA256: 956f7b15fe2b1737a70764132d497ee2179b277f59ac1f343557a44701653506
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\exi.bmp
text
MD5: 24410f96b9f6b631b1a70c8ee690f5cc
SHA256: bd763bdb1b3a7b2e141fee31f996433161d07b0f24e5e4b2056b034d84db8d81
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\giu.ico
text
MD5: 57e4cb1de450274ad1220453cdc919b6
SHA256: df8da047494d463a515eec94dd03e8edf75ca1958b9d4d6982b2e37fbdf38c26
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\oek.ppt
text
MD5: 8f50740bd3e25a8d9b8d936f45f614d0
SHA256: dabf5d613405d7d071c6216a74657f5284d060726708894ed23db530e7dd8f77
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\seh.jpg
text
MD5: 5f20db9a7ff8edf5e5a464f913ac37fe
SHA256: f2843505b04f08c041fa8d9594e3324add14c42a4913832dba34a62d5732960a
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\tkw.icm
text
MD5: a1509dcd2d77abbd5a7ce9c84d60a261
SHA256: 47d338d03985002613b982af78cfa49ae9a8e556a10a23de942d81c0851894e6
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\faq.txt
text
MD5: f8bdd331c99a930c1672e4f5246b8d1d
SHA256: 14754dd4f8f3e580b0fe2777608b491ecd639e5373790860647f84693075437d
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\wxt.pdf
text
MD5: 87d7528a84faabb274b923bdd2f69e45
SHA256: 8748741acfc3f714fed1a5c5b48aed1605cff20c2cf15375af508d293d9ab981
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\gva.jpg
text
MD5: 3f86eedbd560cfb0366e39b7adffd7f6
SHA256: 99cb1ed12672a458d4194695ce672cd4fdfa189fe9d3a082bbfcdd22695f7e3b
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\nom.txt
text
MD5: 5ba671b1523904e0f4dff13726f89d7c
SHA256: 9cbb8dd1be5589c933ab4948369cbed2d0adce6f98343a7d2493c33787e5a755
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\bhp.xl
text
MD5: 4845fd236a63ada27f0750f51b4fc050
SHA256: 40630c858af6d324561ee3740426cf7451ad3e28e5f5ef7afa04d82a1d174ed8
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\uxc.xl
text
MD5: 606286d5604bf2cc8f8f6908f44063a9
SHA256: daf744bb570f89bad02dd774a2826f8080e0ccc57e571a458bd0ca3c05ff878a
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\pkj.pdf
text
MD5: e94d2fa3a4b696d3fc7c6e767c4637e3
SHA256: ca7e539abbd59d7764bccb1cfb039b8bd29e2bf68c70da550e1223bd2640da69
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\por.mp3
text
MD5: 8f24f4f26a944628ea165d233aacd778
SHA256: 3a86d73cf28588addfbb698e241fa3ffbf65fe07f602b51f8609b2b6525b1c40
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\ric.jpg
text
MD5: 660b4926f4b216d7302190f4e2a55897
SHA256: 07a108bd36650be47fba1ab553cdfc6f4739cb49136697bfe9f3441294b04003
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\ubh.txt
text
MD5: ebbcd7da43c59b42d45676705ffde9bc
SHA256: 4893816f2014765da5dd1291179c76bac3e8a8804c727bd9e927e4c8e4102348
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\nfw.bmp
text
MD5: da62a92ade7588609783f4387dd7c3d0
SHA256: 0f58c770669411674033d6775fd9392bd44f1ffc41cc1e005ac22022f47bd4de
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\vph.dat
text
MD5: 4b6d7960a3319569516ad8fd6eb72b1b
SHA256: 3113a011d24e19c4714382df381cd66cdabd61f04d667fbc3e753a32d0e99d13
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\pdg.txt
text
MD5: dcb1a66df93cb9b9b979b3d0d9bccd6f
SHA256: 9231ab20c69c488cbc5861880c8e0226a48e8de69e421a6d75278b708450ef71
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\jgo.mp3
text
MD5: 3dbd93e0600f4a381fc067d332dec964
SHA256: 9b677bcf5304302677f23b827e6da814527da7c0ee8d5041e553c20e2281ad15
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\ddq.mp3
text
MD5: ba5947806ff5faabfba25c626f295893
SHA256: be9aac6bda55b392e45c9963c1a1fb5b6a939403d66f65a968d983297c91b278
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\dxb.docx
text
MD5: 841c5b80d15dc3ebd89eca0e336d9888
SHA256: 0ae717961310634e2919db7f9d217a9ff0b42f001023ef64c340cb0581cf76c9
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\wpn.docx
text
MD5: 9f8b105f6a60fc96c91a30e548075c39
SHA256: 54f2dae0b772370c846ebdbdd2fc73bfb39363957a834c22522c0331a4f20fc2
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\mrj.jpg
text
MD5: 7cd0f6955dfbd973fcab099add1633bb
SHA256: 05a0cd80c2171a86460e87673c1fe7949654168ad9a465e322340c89035433d8
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\nma.ico
text
MD5: f08164029dc97cd7c5d8f10c147dfe39
SHA256: 4d91b6eead30e670134806ace953b2cbca2aa31dea0d098867141f4584130cca
2828
kdg.exe
C:\Users\admin\AppData\Local\Temp\00265295\VDIOZ
text
MD5: 9737c04d8a1fcf0e2c293db21f40000a
SHA256: f667715cd1975545993c3c03270ebca707b3d27bb25488b7948bd0460d0f0cd3
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\mkw.txt
text
MD5: 70ff4b55022a25cf644b07ef7ffd464f
SHA256: aa1fa0e0b1718dafc9d1cd2cb13a09603f11d0a83e7b8de6b0caa977d7ef8718
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\vsd.jpg
text
MD5: ccac3d362a5cbd716ff8fe895cb8f764
SHA256: 723f7b4a3c6c059948514d68527a1f1f9cad906fe56f92ae14cc0c70a37d148a
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\pxt.mp4
text
MD5: e8bced966e124774ae39e1037c1d4c64
SHA256: 7ee62729cac7ee2a28b0a704d098c2210ea13e8f135a61095448cd20aa8514bf
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\sho.ppt
text
MD5: ac526496b9ca30276d9a6b88a6403e49
SHA256: b600fd4a5ffe255ba6192ac1ae6ff00d91c124f49584628855c7c03bbab79740
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\sek.docx
text
MD5: 3c37a6b1ca3714fb6c58c6b6dc5b8016
SHA256: a7ccdab6be63e3302b81fb8abd1bd167cd541cbf71f8daae8b493813ecf78cca
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\ouo.docx
text
MD5: bebda2769a4dcc993617e4eee16afb86
SHA256: cd1d235ce47b76ec57d81017e86fb8d044dcc86f8f108b3a73db65c6f1b9f199
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\utr.mp4
text
MD5: 8c8145984601f8caafd927b421a6e166
SHA256: 89d7df5c7a389062c6231cc804808f3e26e2859d8b2b6d2d83ef68f0cd1520d1
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\tbf.pdf
text
MD5: 98aa85742e1b24b2d54410371443dadf
SHA256: acf374328a5ac59428049e86837b496705e54d5c57f4a2b29b60b163ac9921a4
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\kei.txt
text
MD5: 63ddd45bbeda00ee2faa260208390a52
SHA256: 8483e12f5913c20ecfc5caf46474b57528d05479c589ae0a0f92903e32d531d1
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\FileConstants.bmp
text
MD5: 3517143ff73c603824475eb90632faa4
SHA256: 96bbaada3a3c892f190d7f945916a0665a75a4d71dd653427d375f55d65f8740
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\jem.pdf
text
MD5: 12affcefe9c33e504ea39bff50d474d8
SHA256: 41d6a533522d58b026550b9dc82a294cce794a382a907ce44f56aaf086d2578e
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\bdh=aas
text
MD5: e09fce0622023983eb482133c282543a
SHA256: edc11893dea4c8355c21f48d4aaa5f9369d55514ebaf72877b60b2138635312d
3272
15042019-FHR-YU.exe
C:\Users\admin\AppData\Local\Temp\00265295\ButtonConstants.txt
text
MD5: 0ceaf9a20ee32dff5c48d78f3e9193bc
SHA256: 541023467c85a271944f8098a5a648374c0e3387d0b6b86b92eab4ce876d38c5
3256
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
text
MD5: 5f144f26d693f67a334b5a2b7d35a1ff
SHA256: e5a7739741fe0fd888130345f8409a3a811341136ab99324c15b206f3cf13057

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
11
DNS requests
4
Threats
0

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3256 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
3256 RegSvcs.exe 197.210.55.68:8785 MTN NIGERIA Communication limited NG unknown
3256 RegSvcs.exe 185.244.29.4:8785 –– unknown
3256 RegSvcs.exe 197.210.54.50:8785 MTN NIGERIA Communication limited NG unknown

DNS requests

Domain IP Reputation
elvis4.ddns.net 197.210.55.68
malicious

Threats

No threats detected.

Debug output strings

No debug info.