General Info

File name

SWIFTMT202_105RD119002425.uue

Full analysis
https://app.any.run/tasks/4ab02310-1092-43cf-b3d5-4c74e6d1315a
Verdict
Malicious activity
Analysis date
9/11/2019, 10:41:13
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

rat

nanocore

trojan

Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

ec2d1c1f67dfcb95d4d6d10c76daffb9

SHA1

375c583dd5ac7adb4261d58f9b73671668222726

SHA256

020f6b37b0f2b014b9684feea0cc38454879d33228d16045d71884c1a1f6b581

SSDEEP

24576:6zZipy1/cyykeBvvgIPqP8MVBjdFyjp7FHiprDrFkRgJFAIWNTyFO:MZipbyzIvvRqUY7YtFkrF+AFARTyQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • SWIFTMT202_105RD119002425.exe (PID: 3248)
  • xbb.exe (PID: 3280)
Changes the autorun value in the registry
  • xbb.exe (PID: 3280)
NANOCORE was detected
  • RegSvcs.exe (PID: 3032)
Connects to CnC server
  • RegSvcs.exe (PID: 3032)
Executes scripts
  • SWIFTMT202_105RD119002425.exe (PID: 3248)
Connects to unusual port
  • RegSvcs.exe (PID: 3032)
Executable content was dropped or overwritten
  • SWIFTMT202_105RD119002425.exe (PID: 3248)
  • WinRAR.exe (PID: 3576)
Drop AutoIt3 executable file
  • SWIFTMT202_105RD119002425.exe (PID: 3248)
Creates files in the user directory
  • RegSvcs.exe (PID: 3032)
Dropped object may contain Bitcoin addresses
  • SWIFTMT202_105RD119002425.exe (PID: 3248)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
36
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

+
drop and start start winrar.exe swiftmt202_105rd119002425.exe wscript.exe no specs xbb.exe #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3576
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SWIFTMT202_105RD119002425.uue.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\rar$exa3576.29740\swiftmt202_105rd119002425.exe

PID
3248
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3576.29740\SWIFTMT202_105RD119002425.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3576.29740\SWIFTMT202_105RD119002425.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3576.29740\swiftmt202_105rd119002425.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched20.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wscript.exe
c:\windows\system32\sfc.dll

PID
3912
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\95444044\vhe.vbe"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
SWIFTMT202_105RD119002425.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\twext.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\userenv.dll
c:\program files\winrar\rarext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\windows\system32\linkinfo.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\acppage.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msi.dll
c:\windows\system32\wer.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\95444044\xbb.exe

PID
3280
CMD
"C:\Users\admin\AppData\Local\Temp\95444044\xbb.exe" pnn=gbo
Path
C:\Users\admin\AppData\Local\Temp\95444044\xbb.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 8, 1
Modules
Image
c:\users\admin\appdata\local\temp\95444044\xbb.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

PID
3032
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
xbb.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.7.3062.0 built by: NET472REL1
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\f971acbc25b64dfe4d70e5b25837c780\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrcompression.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\e588691224a17737f3a164cc2d46c156\system.management.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

Registry activity

Total events
1355
Read events
1277
Write events
78
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3576
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3576
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3576
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3576
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\SWIFTMT202_105RD119002425.uue.rar
3576
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3576
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3576
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3576
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3576
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3576
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3248
SWIFTMT202_105RD119002425.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3248
SWIFTMT202_105RD119002425.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3912
WScript.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3912
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3912
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3280
xbb.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
C:\Users\admin\AppData\Local\Temp\95444044\xbb.exe C:\Users\admin\AppData\Local\Temp\95444044\PNN_GB~1

Files activity

Executable files
2
Suspicious files
2
Text files
79
Unknown types
1

Dropped files

PID
Process
Filename
Type
3576
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3576.29740\SWIFTMT202_105RD119002425.exe
executable
MD5: acef3abfbde27400e0737fb780f6a3cc
SHA256: d9dcdef4fea2521509bb3eeae3dab75392ac903891f0f3161a3a30ff6f26010f
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\xbb.exe
executable
MD5: 71d8f6d5dc35517275bc38ebcc815f9f
SHA256: fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
3032
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.dat
bs
MD5: 9e7d0351e4df94a9b0badceb6a9db963
SHA256: aafc7b40c5fe680a2bb549c3b90aabaac63163f74fffc0b00277c6bbff88b757
3032
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
text
MD5: 5a9844b346e798f1bee612358dcf3c7a
SHA256: 000e8963802a6d8942f66300cd12139ad834756d973615a255cf8d48a44bbf8d
3280
xbb.exe
C:\Users\admin\temp\cjr.ppt
text
MD5: f940e4b7012f2dd97bc5f91732d0703f
SHA256: 6c1aaa61dcb2f7e2b6e92c2b2959fcceef1b8650d2284552e7fe077b9e237b3f
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\odn.ini
text
MD5: f08384cd6d8d1ce949e204dafb257883
SHA256: c5278c0b9973a3194079eebdd70ab6c258038e3fa3c4993593f75c82ff44f628
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\apr.log
text
MD5: dae9f53512d128ab0c8b4ff2867a33dc
SHA256: 25662af8ed8bf7d8124846cfbbcc487954a514e9d7f28e4a35e7ea4f187fa22a
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\iqs.icm
text
MD5: e0ac042f2303c2b67dd0125c419ad9d0
SHA256: 3750c4ac5737f99fe1bc27c5b08b278459f2679c74cf9d8025ab20353432096e
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\edp.bmp
text
MD5: bf7d64d6684c4d23d56a23b6860992f8
SHA256: 19c0b880221bcba8eee4edb13894f9ff9c2d7a65676a551a3a444dae4f369984
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\xjg.xl
text
MD5: 1537fd4d0f9454f7e4e398a43f14b76f
SHA256: a589ef807a2da16ae4d464f6d77d9dbda61e212c32c97a9e313fd5a3bb740331
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\ewr.mp3
text
MD5: 81ef49c38afe5ae93abe9a06e25cd9f5
SHA256: 1c29de3d88edffa8054e52482102302dbfc53fb23eedc507bc30169caf0fb641
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\oog.log
text
MD5: e123c35a5d5a43516fadd70711f7636c
SHA256: f6d1830ec3afeeda0fa6814151d92e39964661745e778670b9de77dc671619b7
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\lrm.exe
text
MD5: 85b79c3a540a33fa89b75829093fe69a
SHA256: f79ab60f24b57f81d9115ce2b7999b81331d563999c5708aa9f75d4db4677f77
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\uju.icm
text
MD5: de2d83a070e395701d7b6c7c357efce8
SHA256: fe8f62347f6c2c2d1b3fd43bae4ac6c73ce84ff35a966a22769e10ea0a3d8bae
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\rrd.cpl
text
MD5: 83daf1b23077086fcdd6794546c1bfb1
SHA256: 022acbfdaa3ad4651cb797f21866a9ccebded8d1d351f757d204831cc8a2a4e9
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\crj.mp3
text
MD5: b0e1057c9efc12796de6a0522e4b8d7d
SHA256: fc3aa5c7e3ee87900773efbb9f3b7e925d80e521d186c65524ead08b82ac4111
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\abe.exe
text
MD5: 0bb014f70e0415ad2db17c138e479e33
SHA256: ad6b0fc973abc875ae0ed77c1101d8ce41489d752ccb73f179d78e1d5d655982
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\lal.mp3
text
MD5: 23b2e8eeea763af6777f0ba205e8fc5e
SHA256: 082831b75884a663f049f96c0257998476bf9138924713d59bfce9959046874e
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\ath.ini
text
MD5: 040f2ac09df914e576d2bf7caf1c1cd3
SHA256: 4abe7614614f54e9869a857ab3e607a79e42cc25521790c9794c52926e016402
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\xjh.bmp
text
MD5: 1d6f8f38b7fe737910ce9085564c8f96
SHA256: 1209e42c856ba5866532e170efb7ef8f66bc9334314251749e3f95e21e9bfc0a
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\glt.xl
text
MD5: 269f07f60f322b1235b98b0d50b24aed
SHA256: 51c70ab28d5e3d06f85d69278449c065b0e70c037456b6403d17acad3c134116
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\dnh.txt
text
MD5: 5509d6d869bcf9b846ae7488de0678fc
SHA256: 4f92f8e108afb60148359d4ac66b049316ec6364379c5530bb734ad8808c8d7e
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\aqx.ppt
text
MD5: 77dcf9945ef7d715a978d185f4e3ee3d
SHA256: 151f8a98a95a33b518b3a057155bc5f699a6157d89dda040271ad6d27a6cbc3e
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\lde.dll
text
MD5: ddfbae40a973cfb3915304db6dfef4e2
SHA256: a12f0c91b5c8e16ad11b15e6dd2b5100bcbcaf8de663c1d43898e53e3d7280df
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\iko.pdf
text
MD5: 8c6142dab1656c4de112c5b8bff3da98
SHA256: fc1046e69dc9a43d1588498ef34eb65f94cb0e3a4ff534a69bf41ae1a7abc176
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\ovq.bin
text
MD5: 9cea1afe38ec146c3a218754f4f7a35a
SHA256: cbef14ae6ff963d6a07861e9f5d1792e7729fba381e965fc2ba05110d9c14836
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\jcx.icm
text
MD5: a6fd1fe2e51ffdefc2bf52928cb6cfa6
SHA256: cc01b6527aaed6a69d5c57afd9bc35616a5024f17a9c239a697ebb82108cce35
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\qua.cpl
text
MD5: 4ce0c1040a424fc1e2c4b329b3c6bdc5
SHA256: 6e3e659e26dc7ca5ae9f6573cf828504ab5a3855c6bb904651bf086bf9826884
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\gvg.msc
text
MD5: 7562b60a4ede459f0283a1678b51fe2d
SHA256: 54c51f8428655bbf2465c2e794ffd70fa4918372d98e2af0e656d7948a649d78
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\cph.log
text
MD5: 7f2fd28fe36e9f11dd07b0f899c9f2cc
SHA256: df567dc7276a26dff0667db5d33220b9fe4bd9975a6066314295c6ce4d1ffcc7
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\ivm.exe
text
MD5: 1665c639525a4b9a3c3a1e4a32713fe0
SHA256: ac35a1adab6735f95462969f6adf062461554a1999adab4b31c02f21e1b25d5a
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\qgx.ico
text
MD5: 3e3b3d665ec379c50d8aded2cd559664
SHA256: 698484804efbf44010dc6fd32ccf364e1d161c99ad47e0c112726ebe0da0d58f
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\bas.xl
text
MD5: 01cf118ad4cbcdf732cd202105cc861e
SHA256: 2bdf53ebbab6c4daa6329d0afb0e9d580d6b1e327334ad8812b1d5750956b5ca
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\vlb.bin
text
MD5: 7f76e53484482135beba7c46f19af3f7
SHA256: c9ea3a38c3b898d5551fa47edc4d72cc7f46b6c5be16fc8bee8fe12e8a51f9d0
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\hfj.ico
text
MD5: 3e94b18b3cf081caa7776e649adc05d9
SHA256: 2e32b43326da4f05eda9e80743e5bf75dd20a224ad57138949aee1d1bfe32dd9
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\dpn.ini
text
MD5: 7733813c14fa8805b1ef06647fb8f262
SHA256: 085aa63650b593b6fbaf910fcc9f2f78ae8fe08f9b07ca08e6a27fafd3a31894
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\vxn.ico
text
MD5: 10dbd5263815a5cf88e351ca5f2f90fe
SHA256: 34060d01f2d708ff9bfae16e8ee1c9fe8963eae8adc31c42402d16c8b0ef2688
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\mdn.dat
text
MD5: 1a2b1b810e27c91d565c1ea9e40a0ac0
SHA256: fb597e5335d51ff09a08edd7bf23208624db9a9a71254cca4830c0efef52011c
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\wsf.exe
text
MD5: 437d07bcbef631fd7eb9688760639919
SHA256: 11a7676964cf432cb8d21f71bc73ec8f0bc53822d93be1c2a781854be79f2571
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\jlg.msc
text
MD5: 52d48d7e868e7c3e49497925c2e8ea3e
SHA256: 1e171786c6b0d1420d3f17ec45e3bbaf9589a56bb58a4dc46d3e2534a305754e
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\gjn.ppt
text
MD5: 681c0a317ccd5a298d451290437ce883
SHA256: 3e3416c17d7d12b341425bac2ad9b2c931f4431b0a90c19c4cd0283bd48e0a91
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\sdi.bmp
text
MD5: 0626496e879ed2c525d4da27c5792282
SHA256: 1a4e08c6894d59a18625d3f12d88bbd3e69c3a0f6daf2c39caa77c5a8e38d853
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\deu.exe
text
MD5: 41bc7c2ba3cf89ff463d405e4add952d
SHA256: af8af9042044cb13a06737f76f3dfd721e7509e5a3237a62980b0470fc6c172c
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\opw.docx
text
MD5: e0227b54616310e435f2bb55ca0a12dd
SHA256: ef68a163a87ce716f78e1b844ed0deca327af90eed1fffeffd15e7255df7bd74
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\oxs.xl
text
MD5: 72cf6697c7ea7127544f8f8f32dbd882
SHA256: bdf27be134653b7e5afcc2813007c695c64fb93d1ac818819980bf606e1c5f07
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\noo.mp3
text
MD5: 075e01832cdce3462da63ba957340e97
SHA256: 0ce9725622d9ce07a98f3e7d57f8cbd6afad22103863a4a515df258385802014
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\ptk.xls
text
MD5: 0fca6ca8340bd753f9c81eb2495a3351
SHA256: 4c13b03f90f7eeacf52e3980b77340813bbf9c8d57021c3a5a21adaef912dcc1
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\smw.docx
text
MD5: 0e45261a3515e041440d6ab69f9ab1e6
SHA256: 6f28c72e0d7975773ea87e860555b24a4e7cac4a72a400e415433cf3fd873aad
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\gqa.xl
text
MD5: 608a0cdd19bbedb1d17737d1a2c4f25d
SHA256: 8bdd099e6ac4a488c1e20a7d2b25dfd7520d37abc885e601939aa2f9c68fc014
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\xxu.xl
text
MD5: ef1a9b5b6216475bf58ebc763ffffd1d
SHA256: 339236242a15dc17cda5c24f9de02dbe7f4a5d60f22ddc082b34cc3f61fa3ccd
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\bcn.msc
text
MD5: ed022c2fc50f4917a67b37eda38adecb
SHA256: e29eca4ee9a929fac85fffb7433748838e99c4ae2057e9762070d340a3538c58
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\wco.bmp
text
MD5: 9ddcaae6659c55facc02683391800e6e
SHA256: db9b318484dda7c9b86367915cc6918ab39bc09c13604251fa3b4660fe873d77
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\oak.docx
text
MD5: c7056102edb80bdad08db03aed089741
SHA256: 538aa31b2da4688854ffc8281097f4f4dd0e0aa5ee6702ce3fa461c1f1305746
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\vrr.dll
text
MD5: e44c09823c37c6fb2c8466d3b53038b3
SHA256: d112279e22eecff50b6116bbed97051fc32563b64f0e784770fa1d458ca8ac5a
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\lse.ico
text
MD5: 211271d430a09c7cb3258ef204610881
SHA256: d6e9123af285716648d4a57f3987d55a1fb5cdc5a5b52906c5031b6a2c7907c4
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\jkl.xl
text
MD5: 403885e52cb816c074460083464acf5a
SHA256: 08c3f1fe1e040bc0577a3da945a3eee471dfd897db37c9ca4bf13af0b8a0bd2a
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\bjg.dll
text
MD5: e3645d8384176e8e3a2ffd12aadb93e0
SHA256: 4b89c967bf8ef8bbb0dbf46ffcc0afbe0091b8025fc8405181becf59de07d3ea
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\itf.xml
text
MD5: 06bfb6065a27e574c87106bd1941549e
SHA256: e54129b45b61f68e84b2a1c8dd7cbbc41db93ad920ea306d330b1164550bfaf2
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\kma.exe
text
MD5: d9403433849c6228287b693cc112ec41
SHA256: 12fdd0d0c97578aa59b3d804b32b266c7c7b2616a63760916f5749c5686d5746
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\gpr.bin
text
MD5: 7340cc9971045d5cca5f3ec0cac02c82
SHA256: 3fb88b2cfafa8d3c5b08c3840dfaa20e67de1e075539d9b6b3fd0a3f3a43e6f4
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\mus.mp3
text
MD5: d432082d6e911c94c0556261b51450c3
SHA256: a83f7275cbee658db7795246e0ca3728cd38e2a047ae3a724d31d9b5f1a5e307
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\vxo.jpg
text
MD5: 94bceb660eca8cf495f6f14103f26789
SHA256: bbae9dfef3bfe028abf10bb5a7f85a496d5f60a9c2b37808097ed139a0be45b1
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\xkn.jpg
text
MD5: 8aabf4c08e9426529eee740a7f43eea2
SHA256: dfef731b91308ac12ed6ab85190bf2fb0a893fa78f8d22da18f86f8fdaca1941
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\jcs.msc
text
MD5: 24385e2aca6ef3fc43e005cbc40a211f
SHA256: 9e9254e2e19ddb744238580db809bd9b96f75f5c74d8c504fa1cfc09f3308e38
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\npf.exe
text
MD5: 58cc84f16ed6cdd6afa83dcd55882da2
SHA256: 0c4a057e87aeb66118fb911a5609275853682d0a53715018fade24a35bc92fcb
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\jaw.docx
text
MD5: 1aff88f61bb6fa07086c73a96034a2fa
SHA256: cc3fb72df08e48dcbd5dcef4b83bb212be44e33c436b415880786787dfbfe526
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\coc.ico
text
MD5: b30f86e49f073baca2c3779de7f80a54
SHA256: 7226671c9f64e289ce48eecadeb078649ab8b221d85b65fd4f8efcb8b5edcad2
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\eaj.docx
text
MD5: cbde1b119e815cef7df2c4a3d4ac6b37
SHA256: f5c14fa85d298bcfb9526e4b89fc9e3f0a5c139cf3e4779689716a50f599fea6
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\ksb.exe
text
MD5: 6331173c43f4c99d408c03bed5d06eb3
SHA256: ea53a1a99764556a0806cf0b68627bcb7a7f3eb00f927e47024cee211af8873f
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\uow.icm
text
MD5: 3797908cd3deeaa1ae2a2aa906ad115b
SHA256: 0f1311b04b400be06cdd1284c8560095b4abec6a592b148a7168c766d9693af7
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\vnu.ppt
text
MD5: 2d07590bc678381057da8d3e61122573
SHA256: b9a165f23f2ce728281f7e1e251e3d3b05e2b82dc1a47396cf2a93fface7a8a0
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\est.xml
text
MD5: f0a0368c679ef4e9e3aab8f4e1215ae7
SHA256: 05bd4ff761fbb98cc423cbbbd3e0d81389e6ae3a8b8b76b8b61a9f0f63749a44
3032
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bin
binary
MD5: 4e5e92e2369688041cc82ef9650eded2
SHA256: f8098a6290118f2944b9e7c842bd014377d45844379f863b00d54515a8a64b48
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\hcm.icm
text
MD5: 9e18c5021edc7a9c8a87b524e6bdbf5e
SHA256: 15158797d47681450d92739038959377f5498b9fbaf7ff0420d3232927939b0a
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\plh.txt
text
MD5: e8db514f7ddf42c9036f9e23f218c629
SHA256: 9ef0587045bf60d1380eeaeb8a69ebc684517e9ef89b5deca34cdb78b4f90b62
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\rqu.icm
text
MD5: 0d94a4461ed4d1fb22317ed0d8dfddf3
SHA256: 7af05337fcb714425c5f327101f6a379cc7ab1111a7bb4f6197a27e617097a19
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\lca.ico
text
MD5: afd089611d7bab1ffe6217acf621c78d
SHA256: 5e8c1c63777b4c39a8572d79a8fdcbcdaf9c6569f3e28a71b995eaab26210293
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\axt.msc
text
MD5: d64264cef02eee4984b63646a0d209b8
SHA256: c4ef220b6aba81e4be19822ecd2ddaece4c68fe0961386d2466cecde333b8c4e
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\cgb.bmp
text
MD5: f02e2bb70eefb9e23c07d21d70859cef
SHA256: ec91cc4e374d3213560d3d1bc72c71e9a89af7cc009d4c135c4139e6971708b8
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\vhe.vbe
text
MD5: 46d2f1e60c951eef6efde06bf6267e93
SHA256: 19aab1d4bf84d082813fe7cdac94e6a64822ec55549ed1169b6d2ffdadf822a5
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\pnn=gbo
––
MD5:  ––
SHA256:  ––
3248
SWIFTMT202_105RD119002425.exe
C:\Users\admin\AppData\Local\Temp\95444044\cjr.ppt
text
MD5: 682d76edfcfa2fdf87d50781819f2c08
SHA256: 61a8ef10cea5059d1520087254f6916575d3eb3e9076aa14da103191e5edafba
3032
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.dat
binary
MD5: 2e52f446105fbf828e63cf808b721f9c
SHA256: 2f7479aa2661bd259747bc89106031c11b3a3f79f12190e7f19f5df65b7c15c8

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
23

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3032 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
3032 RegSvcs.exe 79.134.225.110:54985 Andreas Fink trading as Fink Telecom Services CH malicious

DNS requests

Domain IP Reputation
1gstemos.duckdns.org 79.134.225.110
malicious

Threats

PID Process Class Message
3032 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3032 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3032 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3032 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3032 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3032 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3032 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3032 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3032 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3032 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3032 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT

12 ETPRO signatures available at the full report

Debug output strings

No debug info.