analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

invoice notification 2019.zip

Full analysis: https://app.any.run/tasks/aa798cc7-2ed4-4c29-8819-7828d4e7eb76
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 15:46:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
rat
rms
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

0998D6DE2D0D148477DC88DD24650770

SHA1:

18BCF562C6FB41211FCA4F6CC8FDC3E078F45529

SHA256:

14B92CB9108B791915A82B903413EEBCDA3026406C96C9DAD0B5A986FA62AC63

SSDEEP:

1536:wtxR5pJhgbGG3+o8fpa5s1ZxStYu3KD/JWW32m5c6AD0syEo/W5jy:wtFpsbGG34a5sctY3D/J7ADZyl+5+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • wprgxyeqd79.exe (PID: 4032)
      • rher.exe (PID: 2184)
      • uninstall.exe (PID: 3524)
      • exit.exe (PID: 1012)
      • veter1605_MAPS_10cr0.exe (PID: 3632)
      • winserv.exe (PID: 1144)
      • exit.exe (PID: 3888)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3812)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3812)

    • Loads dropped or rewritten executable

      • cmd.exe (PID: 1868)
      • wmiprvse.exe (PID: 2888)
      • taskkill.exe (PID: 3784)
      • taskkill.exe (PID: 2836)
      • taskkill.exe (PID: 3520)
      • taskkill.exe (PID: 2364)
      • taskkill.exe (PID: 2080)
      • taskkill.exe (PID: 3376)
      • taskkill.exe (PID: 2700)
      • cmd.exe (PID: 880)
      • taskkill.exe (PID: 2348)
      • veter1605_MAPS_10cr0.exe (PID: 3632)
      • taskkill.exe (PID: 3256)
      • taskkill.exe (PID: 3192)
      • taskkill.exe (PID: 3528)
      • taskkill.exe (PID: 3352)
      • PING.EXE (PID: 3392)
      • taskkill.exe (PID: 2152)
      • taskkill.exe (PID: 2916)
      • taskkill.exe (PID: 3416)
      • conhost.exe (PID: 2484)
      • taskkill.exe (PID: 3420)
      • taskkill.exe (PID: 2320)
      • taskkill.exe (PID: 2268)
      • taskkill.exe (PID: 3864)
      • taskkill.exe (PID: 2308)
      • taskkill.exe (PID: 3052)
      • taskkill.exe (PID: 2760)
      • taskkill.exe (PID: 2280)
      • taskkill.exe (PID: 2444)
      • taskkill.exe (PID: 4056)
      • taskkill.exe (PID: 620)
      • taskkill.exe (PID: 2596)
      • taskkill.exe (PID: 3432)
      • taskkill.exe (PID: 3500)
      • taskkill.exe (PID: 2548)
      • taskkill.exe (PID: 4080)
      • taskkill.exe (PID: 2260)
      • taskkill.exe (PID: 3456)
      • taskkill.exe (PID: 1472)
      • taskkill.exe (PID: 2384)
      • taskkill.exe (PID: 1472)
      • taskkill.exe (PID: 3112)
      • taskkill.exe (PID: 3760)
      • taskkill.exe (PID: 2248)
      • taskkill.exe (PID: 3012)
      • taskkill.exe (PID: 2896)
      • wprgxyeqd79.exe (PID: 4032)
      • taskkill.exe (PID: 3820)
      • taskkill.exe (PID: 4028)
      • taskkill.exe (PID: 3124)
      • taskkill.exe (PID: 3716)
      • taskkill.exe (PID: 1944)
      • taskkill.exe (PID: 1772)
      • taskkill.exe (PID: 3284)
      • taskkill.exe (PID: 3304)
      • taskkill.exe (PID: 3548)
      • taskkill.exe (PID: 3384)
      • taskkill.exe (PID: 2584)
      • taskkill.exe (PID: 3644)
      • taskkill.exe (PID: 2416)
      • taskkill.exe (PID: 3908)
      • taskkill.exe (PID: 2568)
      • taskkill.exe (PID: 2248)
      • taskkill.exe (PID: 3524)
      • taskkill.exe (PID: 3564)
      • taskkill.exe (PID: 2428)
      • taskkill.exe (PID: 3292)
      • taskkill.exe (PID: 2772)
      • taskkill.exe (PID: 3532)
      • taskkill.exe (PID: 3008)
      • taskkill.exe (PID: 3996)
      • WinRAR.exe (PID: 2976)
      • taskkill.exe (PID: 3128)
      • windanr.exe (PID: 2240)
      • taskkill.exe (PID: 2620)
      • taskkill.exe (PID: 3216)
      • taskkill.exe (PID: 860)
      • taskkill.exe (PID: 2916)
      • taskkill.exe (PID: 2304)
      • conhost.exe (PID: 2724)
      • WINWORD.EXE (PID: 3812)
      • winserv.exe (PID: 1144)
      • uninstall.exe (PID: 3524)
      • exit.exe (PID: 1012)
      • rher.exe (PID: 2184)
      • taskkill.exe (PID: 2300)
      • taskkill.exe (PID: 3064)
      • taskkill.exe (PID: 2712)
      • taskkill.exe (PID: 3456)
      • exit.exe (PID: 3888)
      • PING.EXE (PID: 3480)
      • taskkill.exe (PID: 3300)
      • taskkill.exe (PID: 3332)
      • taskkill.exe (PID: 3688)
      • taskkill.exe (PID: 3700)
      • taskkill.exe (PID: 3096)
      • reg.exe (PID: 2880)
      • taskkill.exe (PID: 2680)
      • taskkill.exe (PID: 3888)
      • taskkill.exe (PID: 2640)
      • taskkill.exe (PID: 700)
      • taskkill.exe (PID: 3500)
      • taskkill.exe (PID: 3440)
      • taskkill.exe (PID: 2804)
      • taskkill.exe (PID: 1632)
      • taskkill.exe (PID: 3232)
      • taskkill.exe (PID: 2188)
      • taskkill.exe (PID: 2472)
      • taskkill.exe (PID: 3604)
      • taskkill.exe (PID: 3552)
      • taskkill.exe (PID: 4004)
      • taskkill.exe (PID: 3096)
      • taskkill.exe (PID: 768)
      • taskkill.exe (PID: 3372)
      • taskkill.exe (PID: 2748)
      • taskkill.exe (PID: 3932)
      • taskkill.exe (PID: 3952)
      • taskkill.exe (PID: 2416)
      • taskkill.exe (PID: 3012)
      • taskkill.exe (PID: 3624)
      • taskkill.exe (PID: 3724)
      • taskkill.exe (PID: 3452)
      • taskkill.exe (PID: 2892)
      • taskkill.exe (PID: 3488)
      • taskkill.exe (PID: 2440)
      • taskkill.exe (PID: 2516)
      • taskkill.exe (PID: 3984)
      • taskkill.exe (PID: 3488)
      • taskkill.exe (PID: 3664)
      • taskkill.exe (PID: 2304)
      • taskkill.exe (PID: 3152)
      • taskkill.exe (PID: 3280)
      • taskkill.exe (PID: 3020)
      • taskkill.exe (PID: 776)
      • taskkill.exe (PID: 2348)
      • taskkill.exe (PID: 2328)
      • taskkill.exe (PID: 3840)
      • taskkill.exe (PID: 3540)
      • taskkill.exe (PID: 988)
      • taskkill.exe (PID: 3544)
      • taskkill.exe (PID: 2340)
      • taskkill.exe (PID: 2956)
      • taskkill.exe (PID: 2720)
      • taskkill.exe (PID: 568)
      • taskkill.exe (PID: 4008)
      • taskkill.exe (PID: 352)
      • taskkill.exe (PID: 488)
      • taskkill.exe (PID: 328)
      • taskkill.exe (PID: 3180)
      • taskkill.exe (PID: 3264)
      • taskkill.exe (PID: 3296)
      • taskkill.exe (PID: 3700)
      • taskkill.exe (PID: 2748)
      • taskkill.exe (PID: 2260)
      • taskkill.exe (PID: 2680)
      • taskkill.exe (PID: 3008)
      • taskkill.exe (PID: 4056)
      • taskkill.exe (PID: 2740)
      • taskkill.exe (PID: 3120)
      • taskkill.exe (PID: 3128)
      • taskkill.exe (PID: 2872)
      • taskkill.exe (PID: 272)
      • taskkill.exe (PID: 3448)
      • taskkill.exe (PID: 2560)
      • taskkill.exe (PID: 2380)
      • taskkill.exe (PID: 3444)
      • taskkill.exe (PID: 2848)
      • taskkill.exe (PID: 3784)
      • taskkill.exe (PID: 3980)
      • taskkill.exe (PID: 2996)
      • taskkill.exe (PID: 2736)
      • taskkill.exe (PID: 3580)
      • taskkill.exe (PID: 2088)
      • taskkill.exe (PID: 2848)
      • taskkill.exe (PID: 3172)
      • taskkill.exe (PID: 3084)
      • taskkill.exe (PID: 3448)
      • taskkill.exe (PID: 608)
      • taskkill.exe (PID: 3204)
      • taskkill.exe (PID: 3368)
      • taskkill.exe (PID: 1352)
      • taskkill.exe (PID: 3184)
      • taskkill.exe (PID: 2436)
      • taskkill.exe (PID: 2108)
      • taskkill.exe (PID: 2376)
      • taskkill.exe (PID: 2612)
      • taskkill.exe (PID: 1504)
      • taskkill.exe (PID: 2528)
      • taskkill.exe (PID: 1160)
      • taskkill.exe (PID: 3196)
      • taskkill.exe (PID: 3944)
      • taskkill.exe (PID: 4040)
      • taskkill.exe (PID: 2428)
      • taskkill.exe (PID: 3676)
      • taskkill.exe (PID: 2268)
      • taskkill.exe (PID: 3608)
      • taskkill.exe (PID: 3752)
      • taskkill.exe (PID: 2644)
      • taskkill.exe (PID: 2652)
      • taskkill.exe (PID: 2104)
      • taskkill.exe (PID: 4012)
      • taskkill.exe (PID: 4048)
      • taskkill.exe (PID: 2760)
      • taskkill.exe (PID: 3532)
      • taskkill.exe (PID: 2640)
      • taskkill.exe (PID: 3736)
      • taskkill.exe (PID: 1032)
      • taskkill.exe (PID: 3360)
      • taskkill.exe (PID: 1624)
      • taskkill.exe (PID: 3464)
      • taskkill.exe (PID: 2732)
      • taskkill.exe (PID: 2464)
      • taskkill.exe (PID: 3152)
      • taskkill.exe (PID: 2796)
      • taskkill.exe (PID: 2836)
      • taskkill.exe (PID: 3928)
      • taskkill.exe (PID: 3264)
      • taskkill.exe (PID: 3804)
      • taskkill.exe (PID: 3464)
      • taskkill.exe (PID: 2732)
      • taskkill.exe (PID: 3840)
      • taskkill.exe (PID: 4024)
      • taskkill.exe (PID: 2660)
      • taskkill.exe (PID: 3544)
      • taskkill.exe (PID: 3068)
      • taskkill.exe (PID: 776)
      • taskkill.exe (PID: 2824)
      • taskkill.exe (PID: 2288)
      • taskkill.exe (PID: 3384)
      • taskkill.exe (PID: 2772)
      • taskkill.exe (PID: 2592)
      • taskkill.exe (PID: 3148)
      • taskkill.exe (PID: 1120)
      • taskkill.exe (PID: 2476)
      • taskkill.exe (PID: 2360)
      • taskkill.exe (PID: 2468)
      • taskkill.exe (PID: 2300)
      • taskkill.exe (PID: 2572)
      • taskkill.exe (PID: 868)
      • taskkill.exe (PID: 3928)
      • taskkill.exe (PID: 2648)
      • taskkill.exe (PID: 2288)
      • taskkill.exe (PID: 3748)
      • taskkill.exe (PID: 3588)
      • taskkill.exe (PID: 3352)
      • taskkill.exe (PID: 3172)
      • taskkill.exe (PID: 2264)
      • taskkill.exe (PID: 3004)
      • taskkill.exe (PID: 2780)
      • taskkill.exe (PID: 3868)
      • taskkill.exe (PID: 3124)
      • taskkill.exe (PID: 3820)
      • taskkill.exe (PID: 3044)
      • taskkill.exe (PID: 1840)
      • taskkill.exe (PID: 2560)
      • taskkill.exe (PID: 2440)
      • taskkill.exe (PID: 3280)
      • taskkill.exe (PID: 3312)
      • taskkill.exe (PID: 3992)
      • taskkill.exe (PID: 772)
      • taskkill.exe (PID: 2168)
      • taskkill.exe (PID: 2960)
      • taskkill.exe (PID: 2972)
      • taskkill.exe (PID: 3140)
      • taskkill.exe (PID: 1436)
      • taskkill.exe (PID: 3368)
      • taskkill.exe (PID: 2904)
      • taskkill.exe (PID: 2728)
      • taskkill.exe (PID: 3620)
      • taskkill.exe (PID: 4016)
      • taskkill.exe (PID: 324)
      • taskkill.exe (PID: 3948)
      • taskkill.exe (PID: 2564)
      • taskkill.exe (PID: 3760)
      • taskkill.exe (PID: 4020)
      • taskkill.exe (PID: 3000)
      • taskkill.exe (PID: 3044)
      • taskkill.exe (PID: 2768)
      • taskkill.exe (PID: 2352)
      • taskkill.exe (PID: 3964)
      • taskkill.exe (PID: 2952)
      • taskkill.exe (PID: 3436)
      • taskkill.exe (PID: 1684)
      • taskkill.exe (PID: 3924)
      • taskkill.exe (PID: 1040)
      • taskkill.exe (PID: 272)
      • taskkill.exe (PID: 1876)
      • taskkill.exe (PID: 2944)
      • taskkill.exe (PID: 3884)
      • taskkill.exe (PID: 3288)
      • taskkill.exe (PID: 2596)
      • taskkill.exe (PID: 2528)
      • taskkill.exe (PID: 3556)
      • taskkill.exe (PID: 1492)
      • taskkill.exe (PID: 3284)
      • taskkill.exe (PID: 3620)
      • taskkill.exe (PID: 2564)
      • taskkill.exe (PID: 3056)
      • taskkill.exe (PID: 2652)
      • taskkill.exe (PID: 2712)
      • taskkill.exe (PID: 2104)
      • taskkill.exe (PID: 4080)
      • taskkill.exe (PID: 4008)
      • taskkill.exe (PID: 3320)
      • taskkill.exe (PID: 3416)
      • taskkill.exe (PID: 3768)
      • taskkill.exe (PID: 3636)
      • taskkill.exe (PID: 4088)
      • taskkill.exe (PID: 2516)
      • taskkill.exe (PID: 3964)
      • taskkill.exe (PID: 3676)
      • taskkill.exe (PID: 1632)
      • taskkill.exe (PID: 3884)
      • taskkill.exe (PID: 3908)
      • taskkill.exe (PID: 2812)
      • taskkill.exe (PID: 1504)
      • taskkill.exe (PID: 664)
      • taskkill.exe (PID: 3184)
      • taskkill.exe (PID: 2892)
      • taskkill.exe (PID: 2368)
      • taskkill.exe (PID: 3624)
      • taskkill.exe (PID: 3844)
      • taskkill.exe (PID: 3492)
      • taskkill.exe (PID: 1812)
      • taskkill.exe (PID: 2420)
      • taskkill.exe (PID: 1024)
      • taskkill.exe (PID: 2252)
      • taskkill.exe (PID: 2332)
      • taskkill.exe (PID: 3872)
      • taskkill.exe (PID: 2584)
      • taskkill.exe (PID: 2188)
      • taskkill.exe (PID: 3996)
      • taskkill.exe (PID: 2656)
      • taskkill.exe (PID: 1572)
      • taskkill.exe (PID: 3628)
      • taskkill.exe (PID: 3612)
      • taskkill.exe (PID: 3988)
      • taskkill.exe (PID: 3064)
      • taskkill.exe (PID: 3988)
      • taskkill.exe (PID: 2340)
      • taskkill.exe (PID: 1256)
      • taskkill.exe (PID: 2956)
      • taskkill.exe (PID: 4024)
      • taskkill.exe (PID: 3584)
      • taskkill.exe (PID: 3076)
      • taskkill.exe (PID: 3444)
      • taskkill.exe (PID: 3664)
      • taskkill.exe (PID: 2788)
      • taskkill.exe (PID: 2252)
      • taskkill.exe (PID: 3536)
      • taskkill.exe (PID: 1872)
      • taskkill.exe (PID: 2496)
      • taskkill.exe (PID: 1840)
      • taskkill.exe (PID: 860)
      • taskkill.exe (PID: 1904)
      • taskkill.exe (PID: 2832)
      • taskkill.exe (PID: 2336)
      • taskkill.exe (PID: 2488)
      • taskkill.exe (PID: 3728)
      • taskkill.exe (PID: 3028)
      • taskkill.exe (PID: 1124)
      • taskkill.exe (PID: 3192)
      • taskkill.exe (PID: 3956)
      • taskkill.exe (PID: 2344)
      • taskkill.exe (PID: 2284)
      • taskkill.exe (PID: 1412)
      • taskkill.exe (PID: 1340)
      • taskkill.exe (PID: 3176)
      • taskkill.exe (PID: 700)
      • taskkill.exe (PID: 1208)
      • taskkill.exe (PID: 2464)
      • taskkill.exe (PID: 3932)
      • taskkill.exe (PID: 972)
      • taskkill.exe (PID: 3324)
      • taskkill.exe (PID: 1024)
      • taskkill.exe (PID: 1692)
      • taskkill.exe (PID: 2904)
      • taskkill.exe (PID: 3628)
      • taskkill.exe (PID: 3296)
      • taskkill.exe (PID: 4028)
      • taskkill.exe (PID: 2344)
      • taskkill.exe (PID: 3048)
      • taskkill.exe (PID: 3992)
      • taskkill.exe (PID: 2512)
      • taskkill.exe (PID: 2540)
      • taskkill.exe (PID: 2456)
      • taskkill.exe (PID: 2684)
      • taskkill.exe (PID: 2496)
      • taskkill.exe (PID: 3924)
      • taskkill.exe (PID: 3748)
      • taskkill.exe (PID: 3412)
      • taskkill.exe (PID: 3248)
      • taskkill.exe (PID: 4052)
      • taskkill.exe (PID: 3972)
      • taskkill.exe (PID: 844)
      • taskkill.exe (PID: 2380)
      • taskkill.exe (PID: 1068)
      • taskkill.exe (PID: 3056)
      • taskkill.exe (PID: 3032)
      • taskkill.exe (PID: 4044)
      • taskkill.exe (PID: 2600)
      • taskkill.exe (PID: 1068)
      • taskkill.exe (PID: 3732)
      • taskkill.exe (PID: 1436)
      • taskkill.exe (PID: 4044)
      • taskkill.exe (PID: 952)
      • taskkill.exe (PID: 3376)
      • taskkill.exe (PID: 324)
      • taskkill.exe (PID: 1572)
      • taskkill.exe (PID: 3548)
      • taskkill.exe (PID: 3180)
      • taskkill.exe (PID: 4072)
      • taskkill.exe (PID: 3604)
      • taskkill.exe (PID: 1032)
      • taskkill.exe (PID: 1668)
      • taskkill.exe (PID: 3268)
      • taskkill.exe (PID: 3692)
      • taskkill.exe (PID: 2448)
      • taskkill.exe (PID: 1880)
      • taskkill.exe (PID: 2692)
      • taskkill.exe (PID: 2452)
      • taskkill.exe (PID: 1576)
      • taskkill.exe (PID: 3000)
      • taskkill.exe (PID: 328)
      • taskkill.exe (PID: 1452)
      • taskkill.exe (PID: 4088)
      • taskkill.exe (PID: 2296)
      • taskkill.exe (PID: 3808)
      • taskkill.exe (PID: 3516)
      • taskkill.exe (PID: 2308)
      • taskkill.exe (PID: 620)
      • taskkill.exe (PID: 3324)
      • taskkill.exe (PID: 2648)
      • taskkill.exe (PID: 868)
      • taskkill.exe (PID: 3860)
      • taskkill.exe (PID: 2860)
      • taskkill.exe (PID: 1132)
      • taskkill.exe (PID: 3844)
      • taskkill.exe (PID: 756)
      • taskkill.exe (PID: 3212)
      • taskkill.exe (PID: 2688)
      • taskkill.exe (PID: 3656)
      • taskkill.exe (PID: 3460)
      • taskkill.exe (PID: 3720)
      • taskkill.exe (PID: 3028)
      • taskkill.exe (PID: 3336)
      • taskkill.exe (PID: 3764)
      • taskkill.exe (PID: 2492)
      • taskkill.exe (PID: 2744)
      • taskkill.exe (PID: 3188)
      • taskkill.exe (PID: 2960)
      • taskkill.exe (PID: 4036)
      • taskkill.exe (PID: 2148)
      • taskkill.exe (PID: 4000)
      • taskkill.exe (PID: 2756)
      • taskkill.exe (PID: 3960)
      • taskkill.exe (PID: 1712)
      • taskkill.exe (PID: 2232)
      • taskkill.exe (PID: 768)
      • taskkill.exe (PID: 1832)
      • taskkill.exe (PID: 3640)
      • taskkill.exe (PID: 2876)
      • taskkill.exe (PID: 2368)
      • taskkill.exe (PID: 1516)
      • taskkill.exe (PID: 1668)
      • taskkill.exe (PID: 3984)
      • taskkill.exe (PID: 3380)
      • taskkill.exe (PID: 3420)
      • taskkill.exe (PID: 3212)
      • taskkill.exe (PID: 4084)
      • taskkill.exe (PID: 1072)
      • taskkill.exe (PID: 2572)
      • taskkill.exe (PID: 3960)
      • taskkill.exe (PID: 3336)
      • taskkill.exe (PID: 3408)
      • taskkill.exe (PID: 3864)
      • taskkill.exe (PID: 664)
      • taskkill.exe (PID: 4048)
      • taskkill.exe (PID: 2100)
      • taskkill.exe (PID: 1624)
      • taskkill.exe (PID: 4004)
      • taskkill.exe (PID: 2912)
      • taskkill.exe (PID: 344)
      • taskkill.exe (PID: 3048)
      • taskkill.exe (PID: 1768)
      • taskkill.exe (PID: 2860)
      • taskkill.exe (PID: 2908)
      • taskkill.exe (PID: 3196)
      • taskkill.exe (PID: 2788)
      • taskkill.exe (PID: 3904)
      • taskkill.exe (PID: 3300)
      • taskkill.exe (PID: 2832)
      • taskkill.exe (PID: 344)
      • taskkill.exe (PID: 2948)
      • taskkill.exe (PID: 2364)
      • taskkill.exe (PID: 2316)
      • taskkill.exe (PID: 3872)
      • taskkill.exe (PID: 3768)
      • taskkill.exe (PID: 3856)
      • taskkill.exe (PID: 2728)
      • taskkill.exe (PID: 2436)
      • taskkill.exe (PID: 2952)
      • taskkill.exe (PID: 3288)
      • taskkill.exe (PID: 952)
      • taskkill.exe (PID: 2612)
      • taskkill.exe (PID: 3520)
      • taskkill.exe (PID: 2512)
      • taskkill.exe (PID: 3652)
      • taskkill.exe (PID: 3980)
      • taskkill.exe (PID: 2140)
      • taskkill.exe (PID: 4036)
      • taskkill.exe (PID: 2548)
      • taskkill.exe (PID: 1132)
      • taskkill.exe (PID: 3084)
      • taskkill.exe (PID: 3040)
      • taskkill.exe (PID: 2672)
      • taskkill.exe (PID: 3800)
      • taskkill.exe (PID: 304)
      • taskkill.exe (PID: 2420)
      • taskkill.exe (PID: 3588)
      • taskkill.exe (PID: 3132)
      • taskkill.exe (PID: 1684)
      • taskkill.exe (PID: 3272)
      • taskkill.exe (PID: 1860)
      • taskkill.exe (PID: 2672)
      • taskkill.exe (PID: 1768)
      • taskkill.exe (PID: 2292)
      • taskkill.exe (PID: 2388)
      • taskkill.exe (PID: 3468)
      • taskkill.exe (PID: 3428)
      • taskkill.exe (PID: 2392)
      • taskkill.exe (PID: 3652)
      • taskkill.exe (PID: 2684)
      • taskkill.exe (PID: 2708)
      • taskkill.exe (PID: 3804)
      • taskkill.exe (PID: 3120)
      • taskkill.exe (PID: 3244)
      • taskkill.exe (PID: 1664)
      • taskkill.exe (PID: 2644)
      • taskkill.exe (PID: 3148)
      • taskkill.exe (PID: 1692)
      • taskkill.exe (PID: 2400)
      • taskkill.exe (PID: 1276)
      • taskkill.exe (PID: 1500)
      • taskkill.exe (PID: 2400)
      • taskkill.exe (PID: 4072)
      • taskkill.exe (PID: 3944)
      • taskkill.exe (PID: 1340)
      • taskkill.exe (PID: 2232)
      • taskkill.exe (PID: 2780)
      • taskkill.exe (PID: 3616)
      • taskkill.exe (PID: 2692)
      • taskkill.exe (PID: 3076)
      • taskkill.exe (PID: 3660)
      • taskkill.exe (PID: 236)
      • taskkill.exe (PID: 3244)
      • taskkill.exe (PID: 2176)
      • taskkill.exe (PID: 2804)
      • taskkill.exe (PID: 2376)
      • taskkill.exe (PID: 3956)
      • taskkill.exe (PID: 1904)
      • taskkill.exe (PID: 3772)
      • taskkill.exe (PID: 1452)
      • taskkill.exe (PID: 3272)
      • taskkill.exe (PID: 1040)
      • taskkill.exe (PID: 3752)
      • taskkill.exe (PID: 2280)
      • taskkill.exe (PID: 2928)
      • taskkill.exe (PID: 3596)
      • taskkill.exe (PID: 684)
      • taskkill.exe (PID: 3304)
      • taskkill.exe (PID: 2336)
      • taskkill.exe (PID: 1712)
      • taskkill.exe (PID: 3568)
      • taskkill.exe (PID: 3644)
      • taskkill.exe (PID: 2668)
      • taskkill.exe (PID: 2828)
      • taskkill.exe (PID: 3656)
      • taskkill.exe (PID: 1476)
      • taskkill.exe (PID: 320)
      • taskkill.exe (PID: 4076)
      • taskkill.exe (PID: 3776)
      • taskkill.exe (PID: 1012)
      • taskkill.exe (PID: 3004)
      • taskkill.exe (PID: 2880)
      • taskkill.exe (PID: 3248)
      • taskkill.exe (PID: 2736)
      • taskkill.exe (PID: 3596)
      • taskkill.exe (PID: 3636)
      • taskkill.exe (PID: 3436)
      • taskkill.exe (PID: 1412)
      • taskkill.exe (PID: 2424)
      • taskkill.exe (PID: 2924)
      • taskkill.exe (PID: 3208)
      • taskkill.exe (PID: 3712)
      • taskkill.exe (PID: 2328)
      • taskkill.exe (PID: 2704)
      • taskkill.exe (PID: 2840)
      • taskkill.exe (PID: 3868)
      • taskkill.exe (PID: 4012)
      • taskkill.exe (PID: 3140)
      • taskkill.exe (PID: 3704)
      • taskkill.exe (PID: 3364)
      • taskkill.exe (PID: 4052)
      • taskkill.exe (PID: 3408)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2880)

    • RMS RAT was detected

      • winserv.exe (PID: 1144)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • wprgxyeqd79.exe (PID: 4032)
      • cmd.exe (PID: 1868)
      • uninstall.exe (PID: 3524)
      • veter1605_MAPS_10cr0.exe (PID: 3632)

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2976)

    • Starts CMD.EXE for commands execution

      • exit.exe (PID: 1012)
      • exit.exe (PID: 3888)

    • Creates files in the program directory

      • uninstall.exe (PID: 3524)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 880)

    • Creates files in the user directory

      • winserv.exe (PID: 1144)

    • Reads the machine GUID from the registry

      • winserv.exe (PID: 1144)

    • Reads Windows Product ID

      • winserv.exe (PID: 1144)

    • Reads Environment values

      • winserv.exe (PID: 1144)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 880)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3812)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3812)

    • Dropped object may contain Bitcoin addresses

      • wprgxyeqd79.exe (PID: 4032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: invoice notification 2019.doc
ZipUncompressedSize: 155136
ZipCompressedSize: 82153
ZipCRC: 0xa981c4b0
ZipModifyDate: 2019:05:16 10:57:18
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
640
Monitored processes
609
Malicious processes
9
Suspicious processes
67

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start winrar.exe no specs winword.exe wprgxyeqd79.exe exit.exe no specs cmd.exe ping.exe no specs rher.exe ping.exe no specs uninstall.exe veter1605_maps_10cr0.exe exit.exe no specs cmd.exe no specs reg.exe #RMS winserv.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs windanr.exe no specs conhost.exe no specs conhost.exe no specs wmiprvse.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2976"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\invoice notification 2019.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3812"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa2976.20883\invoice notification 2019.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
4032C:\Users\Public\wprgxyeqd79.exeC:\Users\Public\wprgxyeqd79.exe
WINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1012"C:\Users\admin\AppData\Local\Temp\exit.exe" C:\Users\admin\AppData\Local\Temp\exit.exewprgxyeqd79.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1868cmd /c i.cmdC:\Windows\system32\cmd.exe
exit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3392ping www.cloudflare.com -n 3 -w 3000C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2184C:\Users\Public\rher.exeC:\Users\Public\rher.exe
WINWORD.EXE
User:
admin
Company:
x264 project
Integrity Level:
MEDIUM
Description:
Nkcreatestaticmapping Aboriginal Year
Version:
5.7.3.790
3480ping www.cloudflare.com -n 3 -w 1000C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3524uninstall.exe x -pQELRatcwbU2EJ5 -yC:\Users\admin\AppData\Local\Temp\uninstall.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3632veter1605_MAPS_10cr0.exe C:\Users\admin\AppData\Local\Temp\veter1605_MAPS_10cr0.exe
cmd.exe
User:
admin
Company:
Miranda IM
Integrity Level:
MEDIUM
Description:
Tile Textheight Clipbook Mostly Wading
Exit code:
0
Version:
8.7.56.236
Total events
3 024
Read events
2 945
Write events
0
Delete events
0

Modification events

No data
Executable files
11
Suspicious files
2
Text files
8
Unknown types
2

Dropped files

PID
Process
Filename
Type
3812WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR4A70.tmp.cvr
MD5:
SHA256:
3812WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIa2976.20883\~$voice notification 2019.docpgc
MD5:1F38D850ADFD7C2F5658468ED5DA98E0
SHA256:81A9D73117A1FE4BF94ECFDB841056735360C876B38EEBD44B471EA4C98321A0
2976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2976.20883\invoice notification 2019.docdocument
MD5:0A4CDBB04CCE002CA94D8F79C5113AC6
SHA256:9E061EAEC56CD40DEAA792918A1C46146B2410A98F037453A745B1AA4F43ADC5
4032wprgxyeqd79.exeC:\Users\admin\AppData\Local\Temp\i.cmdtext
MD5:E8E66827FFE84E0C28A2EB6A5073354F
SHA256:C69CE39AC3E178A89076136AF7418C6CB664844B0CE5CB643912ED56C373A08A
3524uninstall.exeC:\ProgramData\Windows Anytime Upgrade\exit.exeexecutable
MD5:E488DECBB44AD1A3430E82B57A70615E
SHA256:FD701894E7EC8D8319BC9B32BBA5892B11BDF608C3D04C2F18EFF83419EB6DF0
3524uninstall.exeC:\ProgramData\Windows Anytime Upgrade\settings.datbinary
MD5:46FF979A07CD2721DC14DA7EDF386AD7
SHA256:210BB55664D291D82B94B9CEA6FCF41029EDED9ECA6E7FE7B7D58715407A0703
3812WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ananas[1].exeexecutable
MD5:7E77BB853D227E06B635E6EB3E0B31F0
SHA256:385F0A0CCAEC6272C8270F0D5228F2641CCA916E84825EBB35DBEBB036FA2165
4032wprgxyeqd79.exeC:\Users\admin\AppData\Local\Temp\exit.exeexecutable
MD5:E488DECBB44AD1A3430E82B57A70615E
SHA256:FD701894E7EC8D8319BC9B32BBA5892B11BDF608C3D04C2F18EFF83419EB6DF0
3632veter1605_MAPS_10cr0.exeC:\Users\admin\AppData\Local\Temp\1D86.tmpexecutable
MD5:ED60C95C805DBAEE92C90C3AB930085A
SHA256:D35574D2CC42B4EDBF217A86639864422FBE02443250A36EB2CD11B22F165C39
3524uninstall.exeC:\ProgramData\Windows Anytime Upgrade\i.cmdtext
MD5:4957715BBD77615B43F5A409D4687033
SHA256:4A113391615785F0C4E358938EEA2061040941DCD3CB09658D174A60AB683CF1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
31
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2184
rher.exe
GET
185.13.39.197:80
http://185.13.39.197/tor/server/fp/00e1649e69ff91d7f01e74a5e62ef14f7d9915e4
FR
suspicious
2184
rher.exe
GET
162.247.74.201:80
http://162.247.74.201/tor/server/fp/0077bcba7244db3e6a5ed2746e86170066684887
US
suspicious
2184
rher.exe
GET
199.58.81.140:80
http://199.58.81.140/tor/status-vote/current/consensus
CA
suspicious
2184
rher.exe
GET
162.247.74.201:80
http://162.247.74.201/tor/server/fp/0011bd2485ad45d984ec4159c88fc066e5e3300e
US
suspicious
2184
rher.exe
GET
89.236.112.100:80
http://89.236.112.100/tor/server/fp/00b87ecf94c71dbf56805eb4469baf3924a13ad7
FI
suspicious
2184
rher.exe
GET
176.10.104.240:80
http://176.10.104.240/tor/server/fp/00cce6a84e6d63a1a42e105839bc8ed5d4b16669
CH
malicious
2184
rher.exe
GET
199.249.230.103:80
http://199.249.230.103/tor/server/fp/003d78825e0b9609eecff5e4e0529717772e53c7
US
suspicious
2184
rher.exe
GET
176.10.104.240:80
http://176.10.104.240/tor/server/fp/00cce6a84e6d63a1a42e105839bc8ed5d4b16669
CH
malicious
2184
rher.exe
GET
162.247.74.201:80
http://162.247.74.201/tor/server/fp/00cce6a84e6d63a1a42e105839bc8ed5d4b16669
US
suspicious
2184
rher.exe
GET
104.218.63.73:80
http://104.218.63.73/tor/server/fp/0077bcba7244db3e6a5ed2746e86170066684887
CA
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2184
rher.exe
104.218.63.73:443
Tech Futures Interactive Inc.
CA
suspicious
3812
WINWORD.EXE
47.245.58.124:443
kentona.su
US
suspicious
2184
rher.exe
199.58.81.140:80
Koumbit
CA
suspicious
2184
rher.exe
54.243.147.226:443
api.ipify.org
Amazon.com, Inc.
US
malicious
2184
rher.exe
199.249.230.103:80
Quintex Alliance Consulting
US
suspicious
2184
rher.exe
162.247.74.201:80
The Calyx Institute
US
suspicious
2184
rher.exe
129.6.15.28:13
time-a.nist.gov
National Bureau of Standards
US
unknown
1144
winserv.exe
217.12.201.159:5655
ITL Company
NL
suspicious
2184
rher.exe
104.218.63.73:80
Tech Futures Interactive Inc.
CA
suspicious
199.249.230.103:80
Quintex Alliance Consulting
US
suspicious

DNS requests

Domain
IP
Reputation
kentona.su
  • 47.245.58.124
malicious
www.cloudflare.com
  • 104.17.209.9
  • 104.17.210.9
whitelisted
api.ipify.org
  • 54.243.147.226
  • 54.225.171.237
  • 50.16.229.140
  • 54.243.198.12
  • 23.21.121.219
  • 54.235.124.112
  • 107.22.215.20
  • 54.204.36.156
shared
time-a.nist.gov
  • 129.6.15.28
whitelisted
time-a-g.nist.gov
  • 129.6.15.28
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
2184
rher.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 298
2184
rher.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
2184
rher.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
2184
rher.exe
Misc Attack
ET TOR Known Tor Exit Node Traffic group 46
2184
rher.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 47
2184
rher.exe
Potential Corporate Privacy Violation
ET P2P Tor Get Server Request
2184
rher.exe
Misc Attack
ET TOR Known Tor Exit Node Traffic group 2
2184
rher.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 2
2184
rher.exe
Misc Attack
ET TOR Known Tor Exit Node Traffic group 12
6 ETPRO signatures available at the full report
Process
Message
winserv.exe
Error WTSQueryUserToken #1314
winserv.exe
20-05-2019_16:47:03:238#T:Error #20 @2
winserv.exe
20-05-2019_16:47:33:644#T:Msg Size: 104
winserv.exe
20-05-2019_16:47:33:644#T:Msg code: 3
winserv.exe
20-05-2019_16:47:33:644#T:MSG_KEEP_ALIVE
winserv.exe
MSG_KEEP_ALIVE
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
invoice notification 2019.zip