General Info

File name

PR.2960019953.exe

Full analysis
https://app.any.run/tasks/465cc3d0-fcfb-4d88-be43-9cfa06bbc5a3
Verdict
Malicious activity
Analysis date
6/12/2019, 04:24:31
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

rat

nanocore

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

dccd6b543d07b868759038230f944d31

SHA1

65ce2295ee8541016161f4754818963ea8de3577

SHA256

15469073b13b54c67d3747fa0d23333625e9de0fa58d92d2d80c47d07dd791cd

SSDEEP

24576:TNA3R5drXusNeUOhGxrVvQt34eHeDbeiRpoLDKHNiTIaf:+5PxZrBQt3JHURpoqtdaf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • lja.exe (PID: 2600)
  • RegSvcs.exe (PID: 2328)
  • lja.exe (PID: 2944)
  • RegSvcs.exe (PID: 3924)
Changes the autorun value in the registry
  • RegSvcs.exe (PID: 3924)
  • lja.exe (PID: 2600)
NanoCore was detected
  • RegSvcs.exe (PID: 3924)
Executable content was dropped or overwritten
  • RegSvcs.exe (PID: 3924)
  • PR.2960019953.exe (PID: 3412)
Creates files in the user directory
  • RegSvcs.exe (PID: 3924)
Drop AutoIt3 executable file
  • PR.2960019953.exe (PID: 3412)
Dropped object may contain Bitcoin addresses
  • PR.2960019953.exe (PID: 3412)
  • lja.exe (PID: 2944)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win64 Executable (generic) (64.6%)
.dll
|   Win32 Dynamic Link Library (generic) (15.4%)
.exe
|   Win32 Executable (generic) (10.5%)
.exe
|   Generic Win/DOS Executable (4.6%)
.exe
|   DOS Executable Generic (4.6%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:04:27 22:03:27+02:00
PEType:
PE32
LinkerVersion:
14
CodeSize:
190976
InitializedDataSize:
139264
UninitializedDataSize:
null
EntryPoint:
0x1d759
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
FileVersionNumber:
1.0.0.0
ProductVersionNumber:
1.0.0.0
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Dynamic link library
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
FileDescription:
F83CA72IA88W
OriginalFileName:
Y85AH78PF81Z
CompanyName:
J86NY76OG69F
FileVersion:
S78XB80FW72H
LegalCopyright:
Y70KJ74TM89G
ProductName:
L81PG68PV69L
ProductVersion:
1,0,0,0
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
27-Apr-2019 20:03:27
Detected languages
English - United States
Process Default Language
Debug artifacts
D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
FileDescription:
F83CA72IA88W
OriginalFilename:
Y85AH78PF81Z
CompanyName:
J86NY76OG69F
FileVersion:
S78XB80FW72H
LegalCopyright:
Y70KJ74TM89G
ProductName:
L81PG68PV69L
ProductVersion:
1,0,0,0
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000110
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
6
Time date stamp:
27-Apr-2019 20:03:27
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0002E854 0x0002EA00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.69231
.rdata 0x00030000 0x00009A9C 0x00009C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.13286
.data 0x0003A000 0x000213D0 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.25381
.gfids 0x0005C000 0x000000E8 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 2.11154
.rsrc 0x0005D000 0x0001543F 0x00015600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.65819
.reloc 0x00073000 0x00001FCC 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.64554
Resources
1

7

8

9

10

11

12

13

14

15

16

100

101

102

ASKNEXTVOL

GETPASSWORD1

LICENSEDLG

RENAMEDLG

REPLACEFILEDLG

STARTDLG

Imports
    KERNEL32.dll

    gdiplus.dll

    USER32.dll (delay-loaded)

Exports

    No exports.

Screenshots

Processes

Total processes
36
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

+
drop and start start pr.2960019953.exe lja.exe no specs lja.exe #NANOCORE regsvcs.exe regsvcs.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3412
CMD
"C:\Users\admin\AppData\Local\Temp\PR.2960019953.exe"
Path
C:\Users\admin\AppData\Local\Temp\PR.2960019953.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
J86NY76OG69F
Description
F83CA72IA88W
Version
S78XB80FW72H
Modules
Image
c:\users\admin\appdata\local\temp\pr.2960019953.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched20.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\96075806\lja.exe

PID
2944
CMD
"C:\Users\admin\AppData\Local\Temp\96075806\lja.exe" mkn=ktu
Path
C:\Users\admin\AppData\Local\Temp\96075806\lja.exe
Indicators
No indicators
Parent process
PR.2960019953.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\96075806\lja.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\apphelp.dll

PID
2600
CMD
C:\Users\admin\AppData\Local\Temp\96075806\lja.exe C:\Users\admin\AppData\Local\Temp\96075806\UTMIS
Path
C:\Users\admin\AppData\Local\Temp\96075806\lja.exe
Indicators
Parent process
lja.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\96075806\lja.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
3924
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
lja.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shell32.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll

PID
2328
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
No indicators
Parent process
lja.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\searchfolder.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\mssvp.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll

Registry activity

Total events
881
Read events
864
Write events
17
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3412
PR.2960019953.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3412
PR.2960019953.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2600
lja.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ghhy.exe
C:\Users\admin\AppData\Local\Temp\96075806\lja.exe C:\Users\admin\AppData\Local\Temp\96075806\MKN_KT~1
3924
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
2328
RegSvcs.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
NodeSlots
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
2328
RegSvcs.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
MRUListEx
0200000001000000000000000700000006000000030000000500000004000000FFFFFFFF
2328
RegSvcs.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
TV_FolderType
{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}
2328
RegSvcs.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
TV_TopViewID
{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
2328
RegSvcs.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
TV_TopViewVersion
0
2328
RegSvcs.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US

Files activity

Executable files
2
Suspicious files
0
Text files
56
Unknown types
0

Dropped files

PID
Process
Filename
Type
3924
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
executable
MD5: be5073ae05e68612ba0fc1a3d339e64c
SHA256: 1735ba356794975169a93ee2babd33862229a1842c6e2c6a0b67366f5856894e
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\lja.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
2600
lja.exe
C:\Users\admin\AppData\Local\Temp\96075806\spd
text
MD5: 098f6bcd4621d373cade4e832627b4f6
SHA256: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
2944
lja.exe
C:\Users\admin\AppData\Local\Temp\96075806\UTMIS
text
MD5: b9e3184dd5209dfcf15d89e8523b808b
SHA256: 32859493dc6fb7da72de94777799ef203fd945b9a682b5296777b38c85d25c30
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\tnl.mp4
text
MD5: c4f74e6a8ed878cf1d18176a48a3a63c
SHA256: 8c8ed28c9057618baabef69423cb357b1106ad89051da097b736405510509fd7
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\gus.docx
text
MD5: 9ea7426b3238fe98a37ffcdf95d8146a
SHA256: f3948a482c00cb2a306ee68dc27cb47be69a15b244c99e37452429bc8393456f
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\wpm.mp4
text
MD5: bc781b93aaa41cf7ec743c71c4607da9
SHA256: 25ef2d46a9c3e836b1114c7653850619f060efc0705f6e7e41a153c43f3bff32
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\hnp.jpg
text
MD5: 220c03e8fb43b41a3e9a497244d4a3c2
SHA256: 40c7efe69e125abb55fef939398de94aedd8b71925e0888b531ec1e7081aea26
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\juq.docx
text
MD5: db20459e29fe8936b3a6879102bcd039
SHA256: 44a7bda508b8fa1c7365d377a1cb7ebb067b131633ff49183a2477b5ab471406
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\wwg.ppt
text
MD5: 040f3ab867c9d75943cde48c8b60282c
SHA256: 87897b7661a31f5cb9dfd050e7ec15eb012236218521327fc637c23db539814f
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\gih.bmp
text
MD5: 7ae20f4a8aed6e3c0521298dbca3796c
SHA256: 10e1adfcc80dc4459f3a08012d5671a9d19487b78fa55eaa1b9cc75c84ce98d2
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\gah.mp4
text
MD5: 115ebd7e80f0721761f98e55fd18c5dd
SHA256: 4fac3c08431142a87e8b88258cd7a99a408c68b5c75e535d068d96ce3d169452
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\uuo.bmp
text
MD5: 11a1de14b05741400ee435594cdf44f5
SHA256: 1b8325d67e96318126ae5e03c5c758f86ecfe5de4aedf115175102a1b84611a0
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\qfp.mp4
text
MD5: 9078b5b3374404ec0fa3a6cb1eb6cc90
SHA256: 257d9f3afe5a7565477d70f99bad7d84774fae127054bef86c29f3de793d1524
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\tsq.txt
text
MD5: 63cff375bed21762979bdfb864098fc6
SHA256: 03de99baad808e23988664280ce28a81e21a8803752f9f1326fa21ce1b757758
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\dxv.pdf
text
MD5: 54ea17617f7dba3f0347acbc0d40458a
SHA256: b6dc4c7d2a01632099d94aca66f6a57eaa499def381823e91a1133041a72e764
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\lup.ppt
text
MD5: 0eb32b865183b3011938f88a814658dc
SHA256: 75610301ccd32adbb40a10ad7db4f88b17d426f3cd74943f52ca07ad89489dfb
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\gfv.ppt
text
MD5: 3eedf29edc62cb9f1458b66f6e40156b
SHA256: e8b929b0c562ea248fc7b6391cc78da6f2a2a89c6cf11e5170e639845c265f39
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\bko.ico
text
MD5: 6ce3ffb54524404629a68ff4c8b64327
SHA256: 0a8d37d194f842afe6a63ea0458369da9189368c8fcdb26653c18652bc2e3fd8
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\wib.mp3
text
MD5: 009a01ad50bda0b2266a420887ab6976
SHA256: 2610eb70763ebeb5905ea29e7b23dc7864dc10663baa3162f2b2dd383ddc4bd4
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\ghs.txt
text
MD5: 4d284e18674d4ce7d64efd9b0545cca4
SHA256: 4c354500dc47e0ef30227fea72fa8347e3b8beffbc52e7b8dbc6ba060d9f74d9
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\hoh.mp4
text
MD5: 52c441dd8bdea4480a0e0d408208c04d
SHA256: f637a4a0f1c724aae0644fc89660328ec6d0bc6e7c9d41e4125376a42abe25b6
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\sek.bmp
text
MD5: 5f8d728fa406b23e91aeb7f36efe8584
SHA256: 9fd1a45466f3f037bd22d7e048af6ffab8ad558e034b88ba173258efcc2bbf51
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\odb.ico
text
MD5: 1b9e27c89328b4dd94a327c5397d3fbb
SHA256: 1868d856570af9a75f09333088467d2321cad080b68fb05942c9548784f3c048
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\edu.mp3
text
MD5: 406e3c0e3e6fe45a7b008f9dc3619d9b
SHA256: 36d400ce4fc21642764e851207f041bd83c1e0e47123e61513ad7f3b197eb6c9
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\xqa.txt
text
MD5: 4fe41c36ee3b9375a6b6637245abe48f
SHA256: 65a25bd1c088b95e2ed20cd47b3166359dc502c7bbeb36a20385c0e73b58e1a1
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\tis.bmp
text
MD5: 7b44ef18ea3cfbb33f5f31ab35f0af91
SHA256: 2ca6f7e5eed6b4ee256b50aab27306c76141af855aed45f486a2c8b364e46c87
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\kwr.jpg
text
MD5: 791da6452273aa2daf41b9b3b1e85bb9
SHA256: 124fa1cdd1e2f86a8e89dda73cc1497dfa696f24a5bcbc8081e2725434c02df6
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\nle.txt
text
MD5: 85d395f7ac88ba552dc229206ab3f4d3
SHA256: 0062c85f7a580c995c282b23188735f100f0b07633737388eac1f08aba58faf6
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\hbq.xl
text
MD5: 908c259ca87acf9c765c277f95600d2a
SHA256: d9aafd0e94a2b075eedad2c9fbd96f23c4e0cff85dc71bc611a4bf2459843b2d
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\uks.xl
text
MD5: 235911a923c75d81b56364126fba7c85
SHA256: 10c99f4017b780af062e577027e068289414f45ebc44e96ae604f8587f8a9b8d
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\fis.bmp
text
MD5: d18ad5ac529181054ad91c567a0846ed
SHA256: 5b567c63ae3fab29b5ad25f8fe7da029ba50825850047a23fe507396de1c78af
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\cuj.mp3
text
MD5: 049d67eb5f1a91d9b5ad7ab023eaa677
SHA256: c2275860a28efb6f16e1ad20a63f2bea4cd9f09c52540edec7744540037a8d30
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\hpg.mp3
text
MD5: 5ee9edae184941ab2f87c2a9aa151027
SHA256: 4ccb1a1bc19c710d7dc31b33f68e4101e4e0d494899326e3afc3cefba8600852
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\dip.ppt
text
MD5: 90fe26e10f3f67547b72cc01a38cd692
SHA256: 058cdcd775eedab67cf9d40743603865b43c45fc130389f5cfea78a2fd662e6e
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\xmd.pdf
text
MD5: 527e0846723c97a34c535258f4e71295
SHA256: 58b740497b2b23afb3b185e12314c829b0389f8d1d5d50ad4adbc54039d46db8
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\fga.docx
text
MD5: 9adfcb7d2e4da8784bb8311029d67e40
SHA256: d22b1b1efcec4edac58ab9e77fdf83a63110e0465df20a28360e041fe4892ff5
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\uvg.mp4
text
MD5: 2b7d1380c378abb18f04078325599c5b
SHA256: 9aeac36407f8f7046855810d40fcf90df54ca264f9fe3e35de896f9678017c70
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\qgu.jpg
text
MD5: 59cddfcba79e0197c88a560905bb1ea8
SHA256: 331da32e60494da38ce4dfeb3a92cb70f13ea4da7fcf897d8e15912eb3383109
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\pod.xl
text
MD5: 953fc4f140fd1d3625a4c1908ad0e646
SHA256: 0780dbb1c391b53425e1b106c3977db323473a7451d94f6ea3cfad33ee5c71ac
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\svn.xl
text
MD5: a9896ed722d5c6b4a5c156def04e709f
SHA256: 2c443ff2dd551bdcd2fd98dd219ab0dc8821ca376db6faf6fd7e994353cead52
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\txm.docx
text
MD5: b9ad3b95799a467f078d47c3318e3e47
SHA256: 9576662d13ff9287bbbac8adf832b7e23cd298b2d71a8d30e3867f63565be48d
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\vgp.bmp
text
MD5: 67e64cbc9f79a9155cc4e2152b8c69ec
SHA256: df1c759a000e8f90ce680e9bb0206076b4f437c55c63b9bae65565d08dd2ee74
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\ppx.docx
text
MD5: b48f6834c5cb66ab1936a56b8d242af9
SHA256: 75eef40ec001e306f0bf307b0b7c62e52a75fa82b44bad516388c7a18c992a38
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\ikq.ppt
text
MD5: 1caa727ad63289c8a976866cf9e6b471
SHA256: e4c0947d805f9215a54e5fc5ed7011fce9b31d2c8aadb4a297d8d37c83da1465
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\gja.xl
text
MD5: 0e78b3a6f20fe1440965881aced1c0da
SHA256: d8dab14089d9b63fbb856b71a977dd2e7ecebdfd917ce6ac70423360e5626c86
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\vqo.mp3
text
MD5: 0d0c27ce3b00f970fa3f466a99a2b187
SHA256: 52a4a5dd44702b2725343802ca4046746e2d52ce6123d9a9219451d141e8589f
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\mkm.ppt
text
MD5: 456d330650f9fbb3d6ab33f72ed33577
SHA256: 71692812b99ff5f0b0cfaecd1063d1bcb8c178963479ce83d20a6517b7f8639f
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\ToolTipConstants.pdf
text
MD5: eaace8c8a5d389739bbd50b42fb41a0d
SHA256: 4f7965d142ce8c6d0db009c10b1badc648336f76960f74b91e95d36923afc7e5
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\oka.jpg
text
MD5: 526d923b184b74e8d30bc6d6b26c01a1
SHA256: 330e040a217c2eeb9416c7607880141aeb23e326fc1791acff77d51b66f599fb
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\lpl.icm
text
MD5: 268bd53408a2466050d93ae2773d121a
SHA256: 3052417f8cb732deb618a37f0d99adc40316f5cbaf794d8740a8f41c26213c17
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\bih.icm
text
MD5: 166baa1ba76f6b652c335939629da50e
SHA256: c033441b545e2a88e9e5d8747198968e76f72cd1dabf92031a03c5c420522a3a
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\qgh.txt
text
MD5: 1892fa9d4dc3c2f4ee2717edb1dda94a
SHA256: 429a310a03904156585717888093862ce1f37544850c178a73ca0b898870f75c
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\ComboConstants.ico
text
MD5: 2a52ea466082d39bfe681149e8f3570e
SHA256: c9ee818d412113495ffef1f13b677af48f6c646fb69fb475c834c50d7e716b5a
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\pso.pdf
text
MD5: 9077c3dcddb00661587031cc26545d33
SHA256: 2f3b470e618e1b9ee528d7658a93df94d9d6c7ef386437c26c8b1553fe03d92c
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\uhq.docx
text
MD5: 9c1e4be999980684b6ac7a53c064adfa
SHA256: 30ecb6c2e0abb2955259d7584e98e702b616337f873b05738732b06d1bf93586
3412
PR.2960019953.exe
C:\Users\admin\AppData\Local\Temp\96075806\mkn=ktu
text
MD5: 590d75a860f33e75d3d66c24cdc759e3
SHA256: 0d8cb67e171ebce0181b8a98b0e95f488b4bfe9c6a7e8c4b7a151fc551dda1ab
3924
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
text
MD5: 796131a5bf9d1cb1679362ff688cf75c
SHA256: 5f64e81b51148f55ae8a50f5b5afbbf03d208e98ae746ededf2d80afecda3668

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
6
Threats
4

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3924 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
3924 RegSvcs.exe 41.203.78.188:3243 globacom-as NG unknown

DNS requests

Domain IP Reputation
olarzy.duckdns.org 41.203.78.188
malicious
dns.msftncsi.com 131.107.255.255
whitelisted

Threats

PID Process Class Message
3924 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3924 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3924 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3924 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.