General Info

File name

sample.zip

Full analysis
https://app.any.run/tasks/ff368a1c-659a-481f-b76d-ea84c1cbab78
Verdict
Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date
10/9/2019, 18:54:16
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

rat

nanocore

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

e2f26958f2e4999f3cd6af6de352453d

SHA1

121ffec31894704bcdfd793aee8d55515776464b

SHA256

436fd59ddb97d1121249bbcb47c3db6a4a258318ee1a3b505b89f898b080d1d6

SSDEEP

24576:PhXhgV+kCr0y9NY04XfCgn6/g7i3iMFfR8siWtTafzRDyec9+XpGta87xHpw6Yzz:JXyV7Cr0yTcXfrgg4FfRdgfFDyef4Y8m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • matoidghp.exe (PID: 3824)
  • KKK.exe (PID: 3552)
  • RegSvcs.exe (PID: 3652)
Changes the autorun value in the registry
  • RegSvcs.exe (PID: 3652)
  • matoidghp.exe (PID: 3824)
NANOCORE was detected
  • RegSvcs.exe (PID: 3652)
Executable content was dropped or overwritten
  • KKK.exe (PID: 3552)
  • matoidghp.exe (PID: 3824)
  • RegSvcs.exe (PID: 3652)
Drop AutoIt3 executable file
  • KKK.exe (PID: 3552)
Executes scripts
  • KKK.exe (PID: 3552)
Starts MSHTA.EXE for opening HTA or HTMLS files
  • matoidghp.exe (PID: 3824)
Creates files in the user directory
  • RegSvcs.exe (PID: 3652)
Manual execution by user
  • KKK.exe (PID: 3552)
Reads internet explorer settings
  • mshta.exe (PID: 3212)
  • mshta.exe (PID: 2784)
  • mshta.exe (PID: 2224)
  • mshta.exe (PID: 2920)
  • mshta.exe (PID: 3484)
  • mshta.exe (PID: 2212)
  • mshta.exe (PID: 3764)
Dropped object may contain Bitcoin addresses
  • KKK.exe (PID: 3552)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
788
ZipBitFlag:
0x0001
ZipCompression:
Deflated
ZipModifyDate:
2019:10:09 16:54:00
ZipCRC:
0x42051ef6
ZipCompressedSize:
1159785
ZipUncompressedSize:
1289387
ZipFileName:
ef9399691deee804becb065f2b1506959d10b04a1c194ff68df355b3b7f74df5.bin

Screenshots

Processes

Total processes
45
Monitored processes
12
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start drop and start winrar.exe no specs kkk.exe wscript.exe no specs matoidghp.exe mshta.exe no specs mshta.exe no specs mshta.exe no specs mshta.exe no specs mshta.exe no specs mshta.exe no specs mshta.exe no specs #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2928
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
3552
CMD
"C:\Users\admin\Desktop\KKK.exe"
Path
C:\Users\admin\Desktop\KKK.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\kkk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched20.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wscript.exe

PID
3728
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\11929990\mttm.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
KKK.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\scrrun.dll
c:\windows\system32\mpr.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\twext.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\userenv.dll
c:\program files\winrar\rarext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\windows\system32\linkinfo.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\acppage.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msi.dll
c:\windows\system32\wer.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\11929990\matoidghp.exe

PID
3824
CMD
"C:\Users\admin\AppData\Local\Temp\11929990\matoidghp.exe" jwuat.xef
Path
C:\Users\admin\AppData\Local\Temp\11929990\matoidghp.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 8, 1
Modules
Image
c:\users\admin\appdata\local\temp\11929990\matoidghp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mshta.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\users\admin\appdata\local\temp\regsvcs.exe
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

PID
2784
CMD
"C:\Windows\system32\mshta.exe"
Path
C:\Windows\system32\mshta.exe
Indicators
No indicators
Parent process
matoidghp.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft (R) HTML Application host
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll

PID
2920
CMD
"C:\Windows\system32\mshta.exe"
Path
C:\Windows\system32\mshta.exe
Indicators
No indicators
Parent process
matoidghp.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft (R) HTML Application host
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll

PID
3764
CMD
"C:\Windows\system32\mshta.exe"
Path
C:\Windows\system32\mshta.exe
Indicators
No indicators
Parent process
matoidghp.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft (R) HTML Application host
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll

PID
2212
CMD
"C:\Windows\system32\mshta.exe"
Path
C:\Windows\system32\mshta.exe
Indicators
No indicators
Parent process
matoidghp.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft (R) HTML Application host
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll

PID
3484
CMD
"C:\Windows\system32\mshta.exe"
Path
C:\Windows\system32\mshta.exe
Indicators
No indicators
Parent process
matoidghp.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft (R) HTML Application host
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll

PID
2224
CMD
"C:\Windows\system32\mshta.exe"
Path
C:\Windows\system32\mshta.exe
Indicators
No indicators
Parent process
matoidghp.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft (R) HTML Application host
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll

PID
3212
CMD
"C:\Windows\system32\mshta.exe"
Path
C:\Windows\system32\mshta.exe
Indicators
No indicators
Parent process
matoidghp.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft (R) HTML Application host
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll

PID
3652
CMD
"C:\Users\admin\AppData\Local\Temp\RegSvcs.exe"
Path
C:\Users\admin\AppData\Local\Temp\RegSvcs.exe
Indicators
Parent process
matoidghp.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.7.3062.0 built by: NET472REL1
Modules
Image
c:\users\admin\appdata\local\temp\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\f971acbc25b64dfe4d70e5b25837c780\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll

Registry activity

Total events
1506
Read events
1398
Write events
108
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2928
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2928
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2928
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2928
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\sample.zip
2928
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2928
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2928
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2928
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2928
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
3552
KKK.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3552
KKK.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3728
WScript.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3728
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3728
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3824
matoidghp.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3824
matoidghp.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3824
matoidghp.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
C:\Users\admin\AppData\Local\Temp\11929990\MATOID~1.EXE C:\Users\admin\AppData\Local\Temp\11929990\jwuat.xef
2784
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2784
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2920
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2920
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3764
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3764
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2212
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2212
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3484
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3484
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2224
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2224
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3212
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3212
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3652
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe

Files activity

Executable files
3
Suspicious files
0
Text files
81
Unknown types
1

Dropped files

PID
Process
Filename
Type
3652
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
executable
MD5: 0e06054beb13192588e745ee63a84173
SHA256: c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\matoidghp.exe
executable
MD5: 71d8f6d5dc35517275bc38ebcc815f9f
SHA256: fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
3824
matoidghp.exe
C:\Users\admin\AppData\Local\Temp\RegSvcs.exe
executable
MD5: 0e06054beb13192588e745ee63a84173
SHA256: c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
3824
matoidghp.exe
C:\Users\admin\AppData\Local\Temp\11929990\ini
––
MD5:  ––
SHA256:  ––
3824
matoidghp.exe
C:\Users\admin\temp\argfujqxxm.dat
text
MD5: 4ac4c0339dc6e907f2867023577b4f6e
SHA256: 3cc8c21123f762f01620e5f6a7a4a8fe0ccdc094320c56f4c350f11c255b2567
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\fgegjj.msc
text
MD5: d5f27787b891cc773192076871a90e58
SHA256: 304b1d840d7b7ecbf48bf03a3a334e88dbd44970b2c17518e932a1c36d7b84da
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\ucmovrntte.cpl
text
MD5: b277ba8d2d40d4ca07a2fab2d137019b
SHA256: bf6c3f9f389a2928734fb5d4bf7a77894f06404ff185c3ffef1d5b9e56400209
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\npjjekjnw.jpg
text
MD5: 4fddcc78f32ac586d7ac266db28240fd
SHA256: 465da95458a532d403c7aa109cbff748d1c4271e262cb67fcb31fba6313a8161
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\mkmaeago.msc
text
MD5: b5e4320b329797e6495434b53206e13e
SHA256: 0cf386f4b5da5f36d57dcf4506bc343bf5a30bd0e9b9c0fb250eff988597b8b8
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\tvjrd.bin
text
MD5: 8caf9ff2e3d3e976436117ae2312ef95
SHA256: ca3fdd4aa0dc5d5d15e9a517357fe57aa6690179cd5d35fab7c5bdf3dc3e688c
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\iehvc.exe
text
MD5: 029ce1c6daf5cbe0b5a4f6a859ca0076
SHA256: 80745489d867f5791a8e64a8b316f784c6b29507ffd3a822fa7fd1a8da774260
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\xpcwbma.ppt
text
MD5: c25ef2fc73e44b0c95990fbc7a621337
SHA256: 580194b0e3f35db09ac7797cfcdd753d347fa252bc26e347909dbdd54145925f
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\qdmjmvq.jpg
text
MD5: 3b09b4adfa24673ff9b460ff21907909
SHA256: 1e5d041205e6463a2a975a92ebfaac7f9d94f98a521ba0b4891807ee7818791e
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\agni.msc
text
MD5: 723a1ce8def84232d400e9ceef91da0e
SHA256: c87700b87aea13088c359b7d9a3587f66c4c130f6003367b01e6922663b3b918
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\dpuqs.xls
text
MD5: 5c575546697a5cb7746a31b6cdf6d7ae
SHA256: ac34f726d22f2fe6f1213487ad67f2400a618c3ad4c657fc966d27f0462390a9
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\hpoq.ico
text
MD5: dd643fe137718a14269d57326bceb650
SHA256: 5f98c9202d263176b1eed601560efa32731706560200ec8f6ea67c9943b747f2
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\sfkqdxdn.mp3
text
MD5: 7ae68e07420b1e939945667c7df6022c
SHA256: fc8de6afa5e13fac916ae6d41cba292b212d73670d295782392aaf8503eb78ed
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\ombmvgvg.bin
text
MD5: d478745b3f9f660c1d81b65f96c88c5a
SHA256: f808812d8f0e743f54a72bcd41bb04439879cc4c30114d52870231a6f8c15ebb
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\fgrpvc.log
text
MD5: 05fb58ac7c6ad957159d64a33ad4d354
SHA256: 9b7dd435e8bd190abd391e3435dbd9604af85dd503130feb8c614d19ff1799d2
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\frfnccl.txt
text
MD5: d90cb43caaa30270a9a266dd5fc30e61
SHA256: 70aef8bd31bee3835c4282e49db0a5c13e2df8c68df800e3b308042681422c9f
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\lrmk.ini
text
MD5: 3995c7bf36272635ec780edd3fc4ad46
SHA256: feaf10ea9af7da31c0aa3961f3e6efd87812cbcf5eb4a25977708c023a993c68
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\mhufutq.dat
text
MD5: 65046c3a769e982e695891ec19d75194
SHA256: afab0a2e6a26228e40fbe002e84d80e211f8c00770703c08f8e24cfffeabfe22
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\vswkifg.xml
text
MD5: 3506b5710e25e5b81b3febc610f391e0
SHA256: d7e23bc18a649978f9c658d642da659d07946986905ec7ac665f825e630b42d9
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\tqwjuofiu.dat
text
MD5: b1b38e61149776e5a37178acd42361e6
SHA256: a1ead9515f06e03f5c83f4a64b568765dcffc5b27994e35124e82302fb057111
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\ptfak.mp3
text
MD5: 20d47541b4bdbdea2c8434d2d8a81ad9
SHA256: b249aa2a0bd9eb7e97534da6a072f5d4b6392de758c691ba006abebd6b6c4d4d
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\kxtu.xls
text
MD5: 0ce514133bbf723da557cf57636c6cd1
SHA256: 324cb8d51358299f75e37642fc21a5669c38d79ebb2023230910efa2207218e5
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\vslfgwbb.ppt
text
MD5: f9c0c9188129938ac684dcb98566837e
SHA256: 9736fcf971c3d88f40d8e08056b8056e7b0e91b71a47e0cc21c51a16b304311f
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\sfwljlesvc.ico
text
MD5: 3fa711c46a77e597cc27ece749f848d2
SHA256: d4cc7f752ff62fe883e4334dbe5826e5f3deac5bc1b44c0f820f9753ff730bf2
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\sxbhk.jpg
text
MD5: 137aba3c826809e64f9acf35b27f3fb3
SHA256: 1d28e2774bce65c16663a85020ed2e512895423f5e29ef988fdb40e10b6dfdf0
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\qhdfqfoji.log
text
MD5: 109bbc1320b93c8e21a4ce7225bfbeaf
SHA256: e47999c45398189d5f6eec0b8973c0ba1b51eaa0b8ace8a88f5595f47fe179ed
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\fvookr.xls
text
MD5: a1479eda8a668ecb470cf9f940be1a7d
SHA256: c01a6d515fd8697a1b89daa5e27162492bc9b955eea2884c84134b587b2e955f
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\sqvow.jpg
text
MD5: 715f9957a36de49a587e63e44d7bb04e
SHA256: 8e485b62470598bedb100fa27ac91b715ed5ef850a87f9b13381f3b5c66cee32
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\bnitl.dll
text
MD5: c1bafe119eba0ba826b7f14e07f12e48
SHA256: 62f0d9cf779ff450954898b2d4b5d5655fe45ab40bb76f4a01d91d4310085998
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\vplssrkqsd.jpg
text
MD5: 54543405bdb74005548869f6a3f79764
SHA256: 7a4941667c176d6342e373b50a7a40a250d224e56ed51fea287994189f94768f
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\filamqapo.log
text
MD5: 1e7a35bcd9191ebd56e2948d8db927f9
SHA256: 4d6ea877580fe79fce392b1b6d59db38588b89926162f6db308b5a927ff2ab40
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\gbxphnio.docx
text
MD5: 82e53af696e2e1a1ae01d6543f355622
SHA256: e0fb21e746e1892fa8534165f5e980d6cf123976a6be187a9e249bf005245f5d
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\coban.bin
text
MD5: 901ca3183fff42f614c6525fd11f64c5
SHA256: dd956bc5ad05f3bbcdbd64604d002b1778ab634f1c153e2f3b00f2d53ea08337
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\kgouoreq.docx
text
MD5: 8d8e7a48bc45812de5b5a5cb9c6320cb
SHA256: ac4db0e79533011bd9ce868a9ae0b18fac43f23e0ec6fa85609b44e0864f446f
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\neobdoqrup.msc
text
MD5: 2e3c2b25be122ececd53eb76504ce540
SHA256: 69a5b2cfcf16b27675ccd906215df5274eca60f45c87f553718919cbe098ac4a
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\envuldqjeg.msc
text
MD5: 6d87521a27ecd98f5dab9fa68d081f56
SHA256: 0879df07cb48797761013b2729276e1942e86bab34dcd0b54da99a613de03d66
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\rwsevdb.xml
text
MD5: 9c20b45f8ce32ad74a39fa45f7a53864
SHA256: 44372161415047664b4afcd7d364d3053914d88e2dc32a10c0c42d09ae39ce9c
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\avikf.ico
text
MD5: c4d4a572e7e80a06d266b2fa1107149f
SHA256: ba042a6148b55e67ff3764a88a9e3bae9ace0fa1496ae9c723c66cfcdcc2d515
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\hsqjodfacv.txt
text
MD5: 24eb17b117bb15adcff17eedf3ed4e8f
SHA256: 7c18f64ebf66194a694ccc16cadc71733b41debd61dc9132484bb6fffa9a8014
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\jeolwgon.cpl
text
MD5: 6499753e27ac0ee08672bba7eb5caf9c
SHA256: 5d7cd8c961c8b8d19fdc487a189d763a4ea26fbd9107c2e1507c363f1f81dba7
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\aerbjro.xml
text
MD5: e51df7fc4df9de610ef7788cb6c58ff5
SHA256: 436e19f1fbaba910c191a0a54ee5708ab2993d2ca3f9485f22a038bbc94ae767
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\kffxmoqj.msc
text
MD5: 4e415f8050c384262d6975b192e99384
SHA256: 8301776e63dece49b6ad4dcfd4752242135f59c5b609886acbd728bc27c5897e
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\omovrcpk.exe
text
MD5: 055b7f41d26d746dddbadc3352fd9f45
SHA256: 018c322e865bb6e5435db8fdfc4a5b4a197da69af2429e5111e1b4ff6139ab03
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\mlooxw.dll
text
MD5: 13cee2ecc4984d42cc3a681edc5c0419
SHA256: b33198a1e3873634b8937bc454e536390647733355dbfb350d4eeb40fea978c8
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\fiaop.pdf
text
MD5: d9bb5e6665d69c8057984dde272ecc1c
SHA256: e980992f0280319f551ae46594ef2c30b30200970fdc2b5d4b1706303a2a9de7
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\scvkaxna.dat
text
MD5: fbf7cb089fc3e29f3b2a50bedacd2299
SHA256: c910ece551d69c80a192012649a4f50a0f4e465e83d0da68f29962ef064e30b2
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\odxleawe.xls
text
MD5: 07ebcee5f23776ea228947bea10eed3b
SHA256: cdaf4fa50a04bdbafc2651caa3d9e1922d571051cfd9e40f7e9db0f597ca768d
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\neju.dll
text
MD5: 80a1202fbb8fa65b98a01eac2409ea11
SHA256: 9e5fe7b1c71a595fa5171d58f59b39c28ccd3cfb24021f7ec360c66288c24e02
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\hukdafb.ppt
text
MD5: a9e2d1d5eb94173dadbbded248f256e9
SHA256: 2fa87aeb0598439945c57326b4f7e72e4d5006c942d239f8561bac34caef7f02
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\prmmt.pdf
text
MD5: 91c24139a7f2dc56fb001b1317a09dc6
SHA256: 8f0145b7b618dc6d5d3b038c386d3b73a05936cc6e96c50d3a75a0a8cd0ef23a
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\mpnqlewx.ppt
text
MD5: ae1f2ffe600cd34a246909ea087b1938
SHA256: 7dfcaf1bf570b3c307de69b3fc499e600f74d7c1bf0b57fdb746f986d4699086
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\hhdp.txt
text
MD5: b67da056e487756dc83ddc45036ccfab
SHA256: 85c5cf778dd3722cb757bbad15948305b5c778473bb3fd0bfacc3510a213c9f7
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\oocwr.ppt
text
MD5: 656a562d65a44ee0dd3975dec8782402
SHA256: b0c47d322c1262bf4c43da4933cf097bed32b2e384547856fa078c90c045d47e
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\ruqlwver.ini
text
MD5: 484668c35b11004fcddbf63adb7df62a
SHA256: 032d5ec07ff3485f365f4d873d191cca24902fcf3fce1fc3922d0c478e5a9eb6
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\akvjhx.bin
text
MD5: 6296be5a5b0d2728d4236ef1557892b2
SHA256: 9955ac924a792d235b859482187563d9c505c5a2bd10d2c7be30b60af647da4e
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\lhkg.dll
text
MD5: 37a09c344054d703d273796f60780ebb
SHA256: 43a8e78f4ce8bc8a2d3f0b442867e89e1758146e125a2106086938eb6e87001f
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\kgdkc.jpg
text
MD5: 9832d1820203224d6c78fc2f78f13423
SHA256: 3fe403c77b079bfc5dd08ba45a9f58bdd58156cfaa51a6455349222cfcf93ce5
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\thiupanvvm.dll
text
MD5: 4d6998e583c71580a4c98375779a1a42
SHA256: e3637e0f4a11911381850f8146fa688fe21229d189dcd7f3532e34ad0c77faad
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\xduu.ini
text
MD5: 0915d79a7bbd60e36f78259fb7c1bbeb
SHA256: 9de2c30b713a3df7e442fe3b8a54f6bb55ef5faee45b1a5834cf9fda06aa686d
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\fbdeg.pdf
text
MD5: 00afaa1d99030e0126766ea2b9e7624f
SHA256: 688365d91367ab65f03a6dd735389d4a19d8e1852a0d3060f697a2cbea51af23
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\hutni.ppt
text
MD5: cb3433ce2cccd98f0574e3a0de3ab87b
SHA256: ca8586dfcbc40d4b34e0e778cc92fd05fd57117ace516a959a8d3ded6f805d6b
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\qlvqbi.log
text
MD5: 0c8a0db611b5e75ff42c30394d09c870
SHA256: 55c15cf6a4c6dc56388dc6dd5ee798fa1435ab55012bbff9c58e2340df2a3455
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\cgksjfdu.ppt
text
MD5: 6f62922a924146b4d741895a0642eef7
SHA256: ab44e04c0659c6cf07d927696f021b19e42bc5ae8ace8c92ad12917e77662c23
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\upku.log
text
MD5: 2f2c6ff11eccd0a75e0e5f9a35e1a4b7
SHA256: 1903a7c10489ab28338121bc2261993086d8bb34054fa779d7a17ee927ee40c5
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\bfkemoqi.pdf
text
MD5: 76bdb11050f103316e5090e5fc573845
SHA256: e1f56cae095ae6cddbafe91d8d58cd6c0bbb7d778e2f6ace6b0e6a5f78675ec3
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\liqqjx.jpg
text
MD5: a91daf2a8f93d49ab5dd4b8698313d19
SHA256: 54edf389f2f5f5c5e61378a3b592ba78e55969ef85d4f3d440da183d703f59a4
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\lljducgowp.xls
text
MD5: 6f8ce06eebc6ce28492bdccc4368299b
SHA256: 1451b1f62ade82188ba7c645639805cb8763aa57769376c36192dfc88e729006
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\ulutewjh.xls
text
MD5: 940b0cada609bf7579c97e6af98fbce5
SHA256: 2dae9759d762f6ca22e5f70a0c7593967dfa1bd16c108b6dbd2bf23b0db4ccde
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\jcaxwxa.docx
text
MD5: 4118d3e1b4192b4a131d0b33c74831a6
SHA256: 5b6d2826dafa1cf2ec105aa28d334c92c6f297c7043b9169f37cfb94cc539078
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\lhnnu.docx
text
MD5: 1e6f3708fed792b523438b44195824db
SHA256: b3c4407cdba72d4f5bec48230920a11b4afb259c6bc0c5a27ed52f487e0c4dbe
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\lmegbchqkr.xls
text
MD5: 0f5714268e409022488399d5d929a21f
SHA256: dd24128383ed0ea26af416bfd40adfb2941c28cadf942491374112e232607115
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\ohcei.log
text
MD5: f1700d5aad306699fc4bc7e21732ec13
SHA256: 1f5988c7e5c23e3c2d38a3bf2f9e83847595f106969fe4fc4eda98be534f7091
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\wjjuifbs.ini
text
MD5: 7402f7b5141642ea331240f82d5ab2c7
SHA256: 4d08a3e79b4537ef5428ff132c45697fbe5cffb4b5866cba33dcd50e54ad192b
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\rubnr.mp3
text
MD5: b48bfd1c5ab11bf38bef2a017e9a9159
SHA256: 46fbab56093ea277f04a366750da06bd1eb0cd76372f539b0c59d961b2eb5ec3
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\pnfcnxe.xl
text
MD5: ed959aeb766040192b9b3200691a2eea
SHA256: 1e8e5567c733125890c244cceb557893413312adbde05846f258242422c46437
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\mttm.vbs
txt
MD5: c0eecb758b397d2dddeda9ab4ebcb58b
SHA256: bc288b358ccac6a657a385d8362da91ffbe69ec707b37e296f8c1ca7fdf9d732
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\cgmg.docx
text
MD5: c2532551aede38ed0cd822880bd7d268
SHA256: 45d8cbd09f49d637f17d32c1d513d6eb653d61425e1e748bfd59674c0e704028
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\rpbbamiuaq.msc
text
MD5: fe46719f13db2f0d9fd78b06f6a3c38e
SHA256: c5954f7fed1cefc1b23c3ae3257f8a6bf3608ee65a27a78f9f8be2ee9cf9199a
2928
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRb2928.8255\ef9399691deee804becb065f2b1506959d10b04a1c194ff68df355b3b7f74df5.bin
––
MD5:  ––
SHA256:  ––
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\jwuat.xef
––
MD5:  ––
SHA256:  ––
3552
KKK.exe
C:\Users\admin\AppData\Local\Temp\11929990\argfujqxxm.dat
text
MD5: 3e5e87c2c8cf199e979390db828a7b34
SHA256: 7fefe9828da84337f05303d6a952d6c89d6a6fa43df2b9e4adc46c9856ccb9f9
3652
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
text
MD5: 1301ae015e9192fabbab83512665fd1b
SHA256: b88a913d21c14d7f7a4721ce8f8524f4dbec7f0a80173cce89a74ea2a3bc0136

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
20
DNS requests
12
Threats
0

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3652 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
3652 RegSvcs.exe 194.5.99.46:1977 FR unknown
–– –– 8.8.8.8:53 Google Inc. US whitelisted
–– –– 194.5.99.46:1977 FR unknown

DNS requests

Domain IP Reputation
gbengajb.hopto.org 194.5.99.46
malicious

Threats

No threats detected.

Debug output strings

No debug info.