General Info

File name

AdviceRemittanceConfirmation_BankDetailsAprroved934857438093Output.js

Full analysis
https://app.any.run/tasks/1bb60165-778f-43a7-8726-ff440cb75ddd
Verdict
Malicious activity
Analysis date
4/15/2019, 09:04:14
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

rat

nanocore

Indicators:

MIME:
text/plain
File info:
ASCII text, with very long lines, with CRLF line terminators
MD5

9e8550033dd6f88ba9a07309394abb11

SHA1

a71d787348796593c7f4010c8f5912b44d0bd11b

SHA256

1c14f62d89d7dc9acce65985ec84e8ca2277d8903a13bfd5482eec17feff57b7

SSDEEP

24576:1ik/d96Q9JKHZPjo3QN83k9PyPYquL3kekZuSEAXYX/dLlvTguiYzHbrkdU2n:1RmWA8oPyQqmkhExpJTguKn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes the autorun value in the registry
  • RegSvcs.exe (PID: 2516)
  • ejn.exe (PID: 3504)
NanoCore was detected
  • RegSvcs.exe (PID: 2516)
Application was dropped or rewritten from another process
  • RegSvcs.exe (PID: 2516)
  • ejn.exe (PID: 2736)
  • AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr (PID: 3192)
  • ejn.exe (PID: 3504)
Creates files in the user directory
  • RegSvcs.exe (PID: 2516)
Application launched itself
  • ejn.exe (PID: 2736)
Executable content was dropped or overwritten
  • AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr (PID: 3192)
  • WinRAR.exe (PID: 3568)
  • RegSvcs.exe (PID: 2516)
Starts application with an unusual extension
  • WinRAR.exe (PID: 3568)
Drop AutoIt3 executable file
  • AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr (PID: 3192)
Dropped object may contain Bitcoin addresses
  • AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr (PID: 3192)
  • ejn.exe (PID: 2736)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Screenshots

Processes

Total processes
37
Monitored processes
6
Malicious processes
6
Suspicious processes
0

Behavior graph

+
start drop and start drop and start wscript.exe no specs winrar.exe adviceremittanceconfirmation_bankdetailsaprroved934857438.scr ejn.exe no specs ejn.exe #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3008
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\AdviceRemittanceConfirmation_BankDetailsAprroved934857438093Output.js"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\jscript.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\program files\winrar\winrar.exe

PID
3568
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\yvtVtlDMtalW.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\rar$dia3568.38113\adviceremittanceconfirmation_bankdetailsaprroved934857438.scr
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
3192
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$DIa3568.38113\AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr" /S
Path
C:\Users\admin\AppData\Local\Temp\Rar$DIa3568.38113\AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$dia3568.38113\adviceremittanceconfirmation_bankdetailsaprroved934857438.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\04286461\ejn.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
2736
CMD
"C:\Users\admin\AppData\Local\Temp\04286461\ejn.exe" htr=pbc
Path
C:\Users\admin\AppData\Local\Temp\04286461\ejn.exe
Indicators
No indicators
Parent process
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\04286461\ejn.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3504
CMD
C:\Users\admin\AppData\Local\Temp\04286461\ejn.exe C:\Users\admin\AppData\Local\Temp\04286461\ZUNRD
Path
C:\Users\admin\AppData\Local\Temp\04286461\ejn.exe
Indicators
Parent process
ejn.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\04286461\ejn.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
2516
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
ejn.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll

Registry activity

Total events
1196
Read events
1164
Write events
32
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3568
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\yvtVtlDMtalW.zip
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3568
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@shell32,-10162
Screen saver
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000360102000000000039000000B40200000000000001000000
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000003401020000000000160000002A0000000000000002000000
3568
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000180106000000000016000000640000000000000003000000
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3504
ejn.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
C:\Users\admin\AppData\Local\Temp\04286461\ejn.exe C:\Users\admin\AppData\Local\Temp\04286461\HTR_PB~1
2516
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe

Files activity

Executable files
3
Suspicious files
1
Text files
53
Unknown types
0

Dropped files

PID
Process
Filename
Type
2516
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
executable
MD5: be5073ae05e68612ba0fc1a3d339e64c
SHA256: 1735ba356794975169a93ee2babd33862229a1842c6e2c6a0b67366f5856894e
3568
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa3568.38113\AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
executable
MD5: 843c2627bcb1f66ac303eb65776ce820
SHA256: a574e310cc63aa45c5fac50f2324d36a953a89b3bb046c62ee30e976c091ae9e
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\ejn.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\nnu.txt
text
MD5: 742e813cbb8ecc57b75836d513dfc5fd
SHA256: 6bf7e3d060e9b8d0fa602674e7e515c09468c870e9bbbc694dcbcb3885dfc9fb
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\cpb.ppt
text
MD5: 9b07389a38450ffaf7a8946d4f639a47
SHA256: 0e885d87717d7c9d9a44aaab4a071cda551560fbaa80e5b58b1898cece126eca
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\pur.bmp
text
MD5: f5d6eadca9556bc265c78b2336073685
SHA256: b1055929fb31cadd568a6f41a4f094eb825755a0c02995f77f13b6e628182dad
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\hrm.docx
text
MD5: cd17f2b5ae8b8b214dcb48c35e481542
SHA256: 8c834f0a23dcad692c2c8d6cd2d1a4250b052aaa0fa51c30f0a0b176248a3f95
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\uxm.xl
text
MD5: b10273699422cd9e2df3b758f1835285
SHA256: b24f66b850dfa041753dfe4188420951010321ec68c702fe5398c261c09eefa6
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\duq.icm
text
MD5: 01e8ec141717cd615f9e19453a5941a3
SHA256: 9ed2aeb9190059f40f42d714b637924f759230458153302970797e5352c95e32
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\man.xl
text
MD5: d2752e3ff5c761e614aaebd09e673dc6
SHA256: f2729a8046772b062e60267e7cfa4cc24068bb16e71cb3fea210a062651a38d5
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\rpe.pdf
text
MD5: 36c032796e2ed7371a95d9168a5fecdd
SHA256: 057f8f4684049dced296b3bbeeb342b2d16540d942b331d806f68ba6a2778eac
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\rxo.ico
text
MD5: 657ed5725db66bdb991181dd63a6148b
SHA256: 2f8c0649930fb1afc91fd6fa00a487cfbd644a222272bfaf38792fda20930308
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\ssf.bmp
text
MD5: 4d7740771fe1706370c0c108ee862e05
SHA256: 0713349ac2a6277090811901b469e8141d47ccec07ad525b9246a135e340598b
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\hec.icm
text
MD5: 41a86320cb27946dadee309e8798947e
SHA256: 368d0c42e14c9a47b97ca26e1493a052e9010330336d192ab7cdd49af5f145af
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\lwx.xl
text
MD5: eb9cf74f2ce21111e245aa292ac7e973
SHA256: 5fcf9d525d9a807113474f5b3755a2d79c2643ec7c09d2c8b7d856a162b5efbf
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\ufj.mp4
text
MD5: 6d879444bb207183e3ed396d11c7a65a
SHA256: 9c630c7ffb0d8ff06d4a96487d90d1f5bb53f612dd4aa5cf53ca49cd36b4a559
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\kcj.jpg
text
MD5: bec6567893a3398510496acc9efe3583
SHA256: 315c34e795825a15b344ac9bc9f5bc240f4877832343e1d9ae7ef29dc1109ea7
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\rpn.ico
text
MD5: 66d6a69604104cc70b9083357acb8582
SHA256: 8f2b02be8a8b924f1da0c74c6d71db656d4503a94cac02bcc8a7089855547612
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\pkh.icm
text
MD5: 54ca0920b011e064f470e9625cd2867b
SHA256: 52060a70bcf407cd7e98f687f171cae54003693d66bf04e4b6bdc8f8d4ef3498
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\akd.ico
text
MD5: 6cfd247e005dd4e4b686ea6d96ebaac7
SHA256: 728781bfc68af2d90661d30631fe3548e123a506e2d176b45beccac262a13ca1
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\vqm.mp3
text
MD5: 30fb9f7449a3eeaad6b6645c42b19e3d
SHA256: 6566c72368f0f5ca3994c341f33a40ec2129ee39347801e6ed104ada9cddd20e
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\otb.dat
text
MD5: cc4d27651ef3cdd6e9a156d565ebb6e4
SHA256: c6e3cf078ebe8bf1845a7abd222d2499666ae1c12698c95ecec7ef854d675e2c
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\anw.mp3
text
MD5: 37b715feb1a74f71e491cbbfa39b7efc
SHA256: d10931b51900fc21244606a149a2982eb271cf881fb6bf7919b821af38515b65
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\qbw.mp4
text
MD5: f9a1cb2aeb86d1b6df3722991ab6a0ab
SHA256: ac19ce010dce4c9a04951c88597f537f247c713e91a806c374041f6fa8acfacd
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\gdr.icm
text
MD5: 79ff27321717ebf228241f025a0a9b06
SHA256: 54f89c225d52a44c0ebca91ae8251a7f44b9cd287b9c90498a8f894341dc0168
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\obg.xl
text
MD5: acdb6bc0493a8b403a85618a0da67b1e
SHA256: 38a7adb4d2b6510ead3446aa90f0acbb6ee4ccf915eaa2dccdddf2811d800168
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\ssl.dat
text
MD5: 78dcfad6f994c723f0eefc0d841cfb96
SHA256: 27b6516f6318a2d3bb7a5417aed290461a27edae37bf15997ad615330f679939
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\fcm.xl
text
MD5: 392ff79bedd9fc95e34808b839369bb1
SHA256: cd978707c7f1aaf4138e728c1632bb44241254fdd0752a75b7063b03096f47de
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\kqt.xl
text
MD5: 6439f70fcff9c596dadb92312f6314d1
SHA256: cfbbdf6ef35c041716950eea8ba577d87549a4dbae1e3f58e8dec17492136948
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\ugv.icm
text
MD5: c2ac4b355a809bdb96724d1fd9226b72
SHA256: 41edfb021084dbb39b90dfab14355b69f168188f43897578376a6f776ecc9184
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\sfr.docx
text
MD5: a58cab4d32b08498e1c93c393455f240
SHA256: e1137631ad369fac2814f84222ba960ea6f4535a7bc091488cd28f7f0f036c37
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\loi.mp3
text
MD5: 106407da17e58b96be4d733fc99bcf62
SHA256: 21f8e74b60479b3c3b58f8b535441efc95f8d0c7d649a86a8f501380d7a9488d
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\ouc.jpg
text
MD5: 42f30f7b362f64b4299b072f59e1b285
SHA256: a32c22b56661af562271f1a2e51aa419e9e9873a80b5bf4ba934956ac7e6b21b
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\sqs.pdf
text
MD5: 8f509663ff946aa87d79bceda2722c49
SHA256: 87533395f406126e1030a023ffc33304539f22dafd5e64921a21547eda0167d5
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\ule.docx
text
MD5: 4c483c1cd246361bbafa38af27fa4181
SHA256: c3b058c69009e01d0311580f4f39da75851c12d690afda631f3a6eb1bd2a6428
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\vtb.ico
text
MD5: 64da35f500dfe8734c32ac17d54f2a9a
SHA256: e996bcedf5ce5658761aeab1ab384b082dcd7869456606c41a6483422713503f
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\khs.dat
text
MD5: 4036e2691e8a0f641358659a39466b92
SHA256: 36402abcfe1a1e115fce785792be3c218d6e5ee9178a1cc2f9d7e9f441286248
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\xom.pdf
text
MD5: e8ebe16d87e3f9ca371504885c031432
SHA256: 95f3c269bebf1722178eb4b9237b0f1f2296555b3c420206bc9d2558d70b79a1
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\owq.dat
text
MD5: a5a8bbc8f3ad4f8e1c8d1d4407821766
SHA256: c384f3635f70e0370c17a45fecfee50331394f528d67b14bd871c21fd3e99467
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\hlu.dat
text
MD5: 1532bacee43f47aca47ac91acc0a9ddb
SHA256: 91b653815602690158cb813c8a7ab80be2517cc63679cb44ce7a3dda0b253064
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\jvs.jpg
text
MD5: d33cf9fb60e886191b25314d193f7839
SHA256: d1616cb061a3393a603cf0bdc05cdc36e289c3e8ffc9de70a51b1d571a8e211f
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\jte.jpg
text
MD5: 7fb209ef92bbd9a3f5f6e70c5013069c
SHA256: 4a7ac0ae18a78be17e8a18f56820b3aeff6ed365fe628140f46284b9b3aa31f0
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\nwb.docx
text
MD5: 629b176fbb297f2186f4b45f60e996e4
SHA256: 1fc5958a8d3a579845d13b4123c03ee0660ff23a82e1f3eb4afa6aac7812498d
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\hox.ico
text
MD5: c59341eae1b6fedbc71a9d86f64c2566
SHA256: b7b5723a960a92bf134d92897a54db307fe431f0f955baefb656f6abc4c12faf
3008
WScript.exe
C:\Users\admin\AppData\Local\Temp\yvtVtlDMtalW.zip
compressed
MD5: f108ec28efe8711abbdf66fad27b997d
SHA256: 5c0614c5a8ce0fc6fac2c9e2320c21598095311980a57fce437c464fe5e71d1e
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\qgg.docx
text
MD5: b24917167ce55a9e78c11deec7da3111
SHA256: 2eedfd6a775dd03b9cffd571098768119226b5a545ff82f21655cc96ea0b2ce1
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\xln.dat
text
MD5: 2b0b79da9af5edb550e05d452d10ed06
SHA256: 0e0485a84e943fe29a7da88f102d4303d942352d58da9d7f967e9382542c5861
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\vks.ico
text
MD5: 90a9244cb76bb8f9b4f1575589469b37
SHA256: efaada4b963df585cc963997bbc0ecb36792719bcf75aca92dc08e88d93a336b
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\qje.mp3
text
MD5: 2f51cd0401ad4f0a388489c489b54dd2
SHA256: 822c11b57145f675e0d53a45ea78bb6c0f8eee613ff46fad9d03d7629ad4b72e
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\bmj.ppt
text
MD5: fb36f036667429d8ff88a02e3f3bd180
SHA256: d808c2177b423e41d36f45a93a260c6efc4d2748cdce295a4b5930311e58047d
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\hxx.txt
text
MD5: de4c11115dd3d29b4f5e80720351bacc
SHA256: fe79ecd29719575b3a2f0f89ca4e634a701b66ab11109e46826191a426497188
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\htr=pbc
text
MD5: d50f3f66d9c1e442e4d4927676fb1690
SHA256: 9296bad8e3bf748d3c0837ab7a8148707b2a9b88d91263374c8e00dfb6d18813
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\BorderConstants.jpg
text
MD5: 611a62a58fa9869f7ec5dd317140a9f7
SHA256: bb61fdc243ce9527a3ad1bab535139e9c5492a88fd1659a6320f8b9f0753def4
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\StructureConstants.ppt
text
MD5: fa5f4b948c882462025886f7ac55f250
SHA256: a1ae6590bcb49e53c5eeede98133c71ad99f94a129005a144004663bcedeb11c
3192
AdviceRemittanceConfirmation_BankDetailsAprroved934857438.scr
C:\Users\admin\AppData\Local\Temp\04286461\gfd.ico
text
MD5: 8862f172ee231365af4c1be35a330311
SHA256: 42e20106e73f21e559d540bc8032cb85248f2a3de5f96cfd1d5baaa67f310e99
2736
ejn.exe
C:\Users\admin\AppData\Local\Temp\04286461\ZUNRD
text
MD5: 214ee1d581de1eaa4b1e343afd942f75
SHA256: 691d530eebca3240c608f6fa2971d017a501698a7046ba1d7dede12ef6d73fd5
2516
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
text
MD5: b2fae8444d04bc6e1d624861af7366ea
SHA256: 71f0ae69c139c1bd979e01df4cf23cf0b5c43b00ba9f38465a6407b17d139c00

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
20
DNS requests
7
Threats
7

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
2516 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
2516 RegSvcs.exe 91.192.100.18:64599 SOFTplus Entwicklungen GmbH CH malicious
2516 RegSvcs.exe 79.134.225.23:64599 Andreas Fink trading as Fink Telecom Services CH malicious

DNS requests

Domain IP Reputation
stannanoserve.duckdns.org 91.192.100.18
malicious

Threats

PID Process Class Message
2516 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2516 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2516 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2516 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2516 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2516 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2516 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.