General Info

File name

ПАО Авиакомпания Ютэйр подробности заказа.js

Full analysis
https://app.any.run/tasks/114dedd3-40b6-47f4-aeaf-3a23783179f3
Verdict
Malicious activity
Threats:

Troldesh, also know as Encoder.858 is ransomware belonging to the Shade ransomware family. It was created in 2014. The malware encrypts files on the victim’s machine and demands a ransom for the data to be restored.

Analysis date
4/15/2019, 12:07:50
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

loader

ransomware

troldesh

shade

Indicators:

MIME:
text/plain
File info:
ASCII text, with very long lines
MD5

ecbc0f3fa521cd5d8425a553c65166ee

SHA1

ed66d565ae005f498fe5df2dd428dafa5e9fb089

SHA256

03b96ba038702509500d34adffc5d1344c923522018e8780ac74d3c22a967a35

SSDEEP

48:abdMeAobLlmORNHuXvYBkrBgU4r0Xnx00tzjqs8HDprXJIpI/4S1r76Uksa/1KTl:FuGOtrMX78VlG+g10/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Downloads executable files from the Internet
  • WScript.exe (PID: 3856)
Changes the autorun value in the registry
  • rad51EE9.tmp (PID: 1664)
TROLDESH was detected
  • rad51EE9.tmp (PID: 1664)
Application was dropped or rewritten from another process
  • rad51EE9.tmp (PID: 1664)
Starts CMD.EXE for commands execution
  • WScript.exe (PID: 3856)
Creates files in the program directory
  • rad51EE9.tmp (PID: 1664)
Executable content was dropped or overwritten
  • WScript.exe (PID: 3856)
  • rad51EE9.tmp (PID: 1664)
Starts application with an unusual extension
  • cmd.exe (PID: 2072)
Creates files in the user directory
  • notepad++.exe (PID: 3972)
Dropped object may contain Bitcoin addresses
  • rad51EE9.tmp (PID: 1664)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Screenshots

Processes

Total processes
38
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

+
start wscript.exe cmd.exe no specs #TROLDESH rad51ee9.tmp taskmgr.exe no specs notepad++.exe gup.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3856
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\ПАО Авиакомпания Ютэйр подробности заказа.js"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\jscript.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\scrrun.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\program files\common files\system\msadc\msadce.dll
c:\program files\common files\system\ole db\oledb32.dll
c:\windows\system32\bcrypt.dll
c:\program files\common files\system\ole db\oledb32r.dll
c:\program files\common files\system\msadc\msadcer.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll

PID
2072
CMD
"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\rad51EE9.tmp
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\rad51ee9.tmp

PID
1664
CMD
C:\Users\admin\AppData\Local\Temp\rad51EE9.tmp
Path
C:\Users\admin\AppData\Local\Temp\rad51EE9.tmp
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
FGResDetector Module
Version
1, 0, 0, 1
Modules
Image
c:\users\admin\appdata\local\temp\rad51ee9.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll

PID
2068
CMD
"C:\Windows\system32\taskmgr.exe" /4
Path
C:\Windows\system32\taskmgr.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Task Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\shell32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\credui.dll
c:\windows\system32\vdmdbg.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\slc.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\utildll.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\version.dll
c:\windows\system32\propsys.dll
c:\windows\system32\windanr.exe
c:\windows\system32\dwm.exe
c:\windows\explorer.exe
c:\windows\system32\cmd.exe
c:\windows\system32\conhost.exe
c:\users\admin\appdata\local\temp\rad51ee9.tmp
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\actxprxy.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\dllhost.exe
c:\program files\notepad++\notepad++.exe
c:\program files\notepad++\updater\gup.exe

PID
3972
CMD
"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\Temp\rad51EE9.tmp"
Path
C:\Program Files\Notepad++\notepad++.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Don HO [email protected]
Description
Notepad++ : a free (GNU) source code editor
Version
7.51
Modules
Image
c:\program files\notepad++\notepad++.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\program files\notepad++\scilexer.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\program files\notepad++\updater\gup.exe
c:\windows\system32\windowscodecs.dll
c:\program files\notepad++\plugins\mimetools.dll
c:\program files\notepad++\plugins\nppconverter.dll
c:\program files\notepad++\plugins\nppexport.dll

PID
3260
CMD
"C:\Program Files\Notepad++\updater\gup.exe" -v7.51
Path
C:\Program Files\Notepad++\updater\gup.exe
Indicators
Parent process
notepad++.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Don HO [email protected]
Description
GUP : a free (LGPL) Generic Updater
Version
4.1
Modules
Image
c:\program files\notepad++\updater\gup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\notepad++\updater\libcurl.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\normaliz.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll

Registry activity

Total events
591
Read events
556
Write events
35
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3856
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
EnableFileTracing
0
3856
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
EnableConsoleTracing
0
3856
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
FileTracingMask
4294901760
3856
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
ConsoleTracingMask
4294901760
3856
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
MaxFileSize
1048576
3856
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
FileDirectory
%windir%\tracing
3856
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
EnableFileTracing
0
3856
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
EnableConsoleTracing
0
3856
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
FileTracingMask
4294901760
3856
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
ConsoleTracingMask
4294901760
3856
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
MaxFileSize
1048576
3856
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
FileDirectory
%windir%\tracing
3856
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3856
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3856
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3856
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1664
rad51EE9.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
xi
906D0F2E2F604F839E04
1664
rad51EE9.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Client Server Runtime Subsystem
"C:\ProgramData\Windows\csrss.exe"
1664
rad51EE9.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
xVersion
4.0.0.1
3972
notepad++.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3972
notepad++.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3972
notepad++.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
3
Suspicious files
0
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
3856
WScript.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\inf[1].inf
executable
MD5: 73dea1a75637e14f6fcd012fe2815636
SHA256: fd03dd58aa7cb5236f4df8cde3fb07af304c6f402cd48b86eefcecb8e7b86883
3856
WScript.exe
C:\Users\admin\AppData\Local\Temp\rad51EE9.tmp
executable
MD5: 73dea1a75637e14f6fcd012fe2815636
SHA256: fd03dd58aa7cb5236f4df8cde3fb07af304c6f402cd48b86eefcecb8e7b86883
1664
rad51EE9.tmp
C:\ProgramData\Windows\csrss.exe
executable
MD5: 73dea1a75637e14f6fcd012fe2815636
SHA256: fd03dd58aa7cb5236f4df8cde3fb07af304c6f402cd48b86eefcecb8e7b86883
3972
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xml
text
MD5: ad21a64014891793dd9b21d835278f36
SHA256: c24699c9d00abdd510140fe1b2ace97bfc70d8b21bf3462ded85afc4f73fe52f
3972
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\stylers.xml
xml
MD5: 44982e1d48434c0ab3e8277e322dd1e4
SHA256: 3e661d3f1ff3977b022a0acc26b840b5e57d600bc03dcfc6befdb408c665904c
3972
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\langs.xml
xml
MD5: e792264bec29005b9044a435fba185ab
SHA256: 5298fd2f119c43d04f6cf831f379ec25b4156192278e40e458ec356f9b49d624
1664
rad51EE9.tmp
C:\Users\admin\AppData\Local\Temp\6893A5~1\unverified-microdesc-consensus
text
MD5: aaf8f7a9a558ffd8fc5da178ef823100
SHA256: 836d9c6dcc54e3888a57d9f9d0fa4a28712e46b06c6c229c519db952d29ac4b8
1664
rad51EE9.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
––
MD5:  ––
SHA256:  ––
1664
rad51EE9.tmp
C:\Users\admin\AppData\Local\Temp\6893A5~1\state
text
MD5: 69a592d20430d6841d513093eb817eeb
SHA256: 87399be0f2a3df4b17a8209acfd3196a93b56a91caf9e093c2b79fe1e95aabe7
1664
rad51EE9.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
––
MD5:  ––
SHA256:  ––
3972
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\session.xml
text
MD5: 1fd5b50adc1e9ad245c95d13be7be64f
SHA256: c26df0550a705b0c766fca6536e0f38983dcf6cbdfa9618a301d9e0601edd138
3972
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.ini
text
MD5: f70f579156c93b097e656caba577a5c9
SHA256: b926498a19ca95dc28964b7336e5847107dd3c0f52c85195c135d9dd6ca402d4
3972
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\config.xml
xml
MD5: 6a00086a43de03d2ad0264b7555cdcc8
SHA256: 6f0c8f206d04ff7e3e7fb502008e207c193195278e4e31913412efb5d4a7d673

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
3
Threats
6

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3856 WScript.exe GET 200 67.220.185.114:80 http://blackcrowproductions.com/wp-content/themes/twentyeleven/colors/inf.inf US
executable
suspicious
–– –– GET 200 2.16.106.50:80 http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D unknown
der
whitelisted
–– –– GET 200 2.16.106.50:80 http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D unknown
der
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3856 WScript.exe 67.220.185.114:80 24 SHELLS US suspicious
1664 rad51EE9.tmp 76.73.17.194:9090 Cogent Communications US malicious
1664 rad51EE9.tmp 86.59.21.38:443 Tele2 Telecommunication GmbH AT malicious
1664 rad51EE9.tmp 154.35.32.5:443 Rethem Hosting LLC US unknown
3260 gup.exe 37.59.28.236:443 OVH SAS FR whitelisted
–– –– 2.16.106.50:80 Akamai International B.V. –– whitelisted

DNS requests

Domain IP Reputation
blackcrowproductions.com 67.220.185.114
suspicious
notepad-plus-plus.org 37.59.28.236
whitelisted
ocsp.usertrust.com 2.16.106.50
2.16.106.80
whitelisted

Threats

PID Process Class Message
3856 WScript.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3856 WScript.exe A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3856 WScript.exe Generic Protocol Command Decode SURICATA STREAM excessive retransmissions
1664 rad51EE9.tmp Misc Attack ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 653
1664 rad51EE9.tmp Potential Corporate Privacy Violation POLICY [PTsecurity] TOR SSL connection
1664 rad51EE9.tmp Generic Protocol Command Decode SURICATA STREAM excessive retransmissions

Debug output strings

Process Message
notepad++.exe 42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe 42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe 42C4C5846BB675C74E2B2C90C69AB44366401093