General Info

File name

Информация о заказе.rar

Full analysis
https://app.any.run/tasks/4e8373da-80d9-47cb-9563-026ba4529d5c
Verdict
Malicious activity
Threats:

Troldesh, also know as Encoder.858 is ransomware belonging to the Shade ransomware family. It was created in 2014. The malware encrypts files on the victim’s machine and demands a ransom for the data to be restored.

Analysis date
11/8/2019, 13:48:56
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

opendir

trojan

loader

ransomware

troldesh

shade

Indicators:

MIME:
application/x-rar
File info:
RAR archive data, flags: EncryptedBlockHeader
MD5

77a40254eaa84c685d148df51b8d85d7

SHA1

5ef90c7bd24c5a819ba80e0908c924df295cd6e5

SHA256

491aca6d629147e203914c416286402ecb4afd3b89cfd8938b43212a6dfdbd75

SSDEEP

192:xzwgdIRLQu+CPktN+pUbx1IAejPktJYa1vB40Ok29moPBuIZtWOFjniad:FwgdsE8PktWUbjDejPkPT89mUfWAjh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Downloads executable files from the Internet
  • WScript.exe (PID: 2168)
Changes the autorun value in the registry
  • radE51B1.tmp (PID: 3416)
Application was dropped or rewritten from another process
  • radCDD2D.tmp (PID: 2200)
  • radE51B1.tmp (PID: 2660)
  • radE51B1.tmp (PID: 3416)
  • radCDD2D.tmp (PID: 592)
TROLDESH was detected
  • radE51B1.tmp (PID: 3416)
Starts CMD.EXE for commands execution
  • WScript.exe (PID: 2168)
  • WScript.exe (PID: 2120)
Starts application with an unusual extension
  • cmd.exe (PID: 1780)
  • radE51B1.tmp (PID: 2660)
  • radCDD2D.tmp (PID: 592)
  • cmd.exe (PID: 2004)
Executable content was dropped or overwritten
  • WScript.exe (PID: 2168)
  • WScript.exe (PID: 2120)
  • radE51B1.tmp (PID: 3416)
Executes scripts
  • WinRAR.exe (PID: 2364)
Creates files in the program directory
  • radE51B1.tmp (PID: 3416)
Application launched itself
  • radE51B1.tmp (PID: 2660)
  • radCDD2D.tmp (PID: 592)
Application was crashed
  • radE51B1.tmp (PID: 3416)
  • radCDD2D.tmp (PID: 2200)
Manual execution by user
  • WScript.exe (PID: 2120)
Dropped object may contain Bitcoin addresses
  • radCDD2D.tmp (PID: 2200)
  • radE51B1.tmp (PID: 3416)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v-4.x) (58.3%)
.rar
|   RAR compressed archive (gen) (41.6%)

Screenshots

Processes

Total processes
48
Monitored processes
9
Malicious processes
6
Suspicious processes
2

Behavior graph

+
start winrar.exe no specs wscript.exe cmd.exe no specs rade51b1.tmp no specs #TROLDESH rade51b1.tmp wscript.exe cmd.exe no specs radcdd2d.tmp no specs radcdd2d.tmp
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2364
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Информация о заказе.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\wshext.dll
c:\windows\system32\wscript.exe
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\rpcrtremote.dll

PID
2168
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb2364.36627\Информация о заказе 46-07-11-2019.xls.js"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\jscript.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\scrrun.dll
c:\program files\common files\system\msadc\msadce.dll
c:\program files\common files\system\ole db\oledb32.dll
c:\windows\system32\bcrypt.dll
c:\program files\common files\system\ole db\oledb32r.dll
c:\program files\common files\system\msadc\msadcer.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll

PID
1780
CMD
"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radE51B1.tmp
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\rade51b1.tmp

PID
2660
CMD
C:\Users\admin\AppData\Local\Temp\radE51B1.tmp
Path
C:\Users\admin\AppData\Local\Temp\radE51B1.tmp
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
28.0.0.45
Modules
Image
c:\users\admin\appdata\local\temp\rade51b1.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3416
CMD
C:\Users\admin\AppData\Local\Temp\radE51B1.tmp
Path
C:\Users\admin\AppData\Local\Temp\radE51B1.tmp
Indicators
Parent process
radE51B1.tmp
User
admin
Integrity Level
MEDIUM
Exit code
3765269347
Version:
Company
Description
Version
28.0.0.45
Modules
Image
c:\users\admin\appdata\local\temp\rade51b1.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll

PID
2120
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Информация о заказе 46-07-11-2019.xls.js"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\jscript.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\scrrun.dll
c:\program files\common files\system\msadc\msadce.dll
c:\program files\common files\system\ole db\oledb32.dll
c:\windows\system32\bcrypt.dll
c:\program files\common files\system\ole db\oledb32r.dll
c:\program files\common files\system\msadc\msadcer.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll

PID
2004
CMD
"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radCDD2D.tmp
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\radcdd2d.tmp

PID
592
CMD
C:\Users\admin\AppData\Local\Temp\radCDD2D.tmp
Path
C:\Users\admin\AppData\Local\Temp\radCDD2D.tmp
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
28.0.0.45
Modules
Image
c:\users\admin\appdata\local\temp\radcdd2d.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2200
CMD
C:\Users\admin\AppData\Local\Temp\radCDD2D.tmp
Path
C:\Users\admin\AppData\Local\Temp\radCDD2D.tmp
Indicators
Parent process
radCDD2D.tmp
User
admin
Integrity Level
MEDIUM
Exit code
3765269347
Version:
Company
Description
Version
28.0.0.45
Modules
Image
c:\users\admin\appdata\local\temp\radcdd2d.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll

Registry activity

Total events
735
Read events
693
Write events
42
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2364
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2364
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2364
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
LanguageList
en-US
2364
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
2364
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Информация о заказе.rar
2364
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2364
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2364
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2364
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2364
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
@C:\Windows\System32\wshext.dll,-4804
JScript Script File
2364
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2364
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2168
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
EnableFileTracing
0
2168
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
EnableConsoleTracing
0
2168
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
FileTracingMask
4294901760
2168
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
ConsoleTracingMask
4294901760
2168
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
MaxFileSize
1048576
2168
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
FileDirectory
%windir%\tracing
2168
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
EnableFileTracing
0
2168
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
EnableConsoleTracing
0
2168
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
FileTracingMask
4294901760
2168
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
ConsoleTracingMask
4294901760
2168
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
MaxFileSize
1048576
2168
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
FileDirectory
%windir%\tracing
2168
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2168
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2168
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2168
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3416
radE51B1.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
xi
906D0F2E2F604F839E04
3416
radE51B1.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Client Server Runtime Subsystem
"C:\ProgramData\Windows\csrss.exe"
3416
radE51B1.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration
xVersion
4.0.0.1
2120
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2120
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000093000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2120
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2120
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
4
Suspicious files
0
Text files
34
Unknown types
0

Dropped files

PID
Process
Filename
Type
2120
WScript.exe
C:\Users\admin\AppData\Local\Temp\radCDD2D.tmp
executable
MD5: e697d27432d8b3b691328b765c8bf9e3
SHA256: 2e88e60123f0d285a09e079326d295dc28cac76e222a3f3ad96038b31ca1ea59
2168
WScript.exe
C:\Users\admin\AppData\Local\Temp\radE51B1.tmp
executable
MD5: e697d27432d8b3b691328b765c8bf9e3
SHA256: 2e88e60123f0d285a09e079326d295dc28cac76e222a3f3ad96038b31ca1ea59
2168
WScript.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\2c[1].jpg
executable
MD5: e697d27432d8b3b691328b765c8bf9e3
SHA256: 2e88e60123f0d285a09e079326d295dc28cac76e222a3f3ad96038b31ca1ea59
3416
radE51B1.tmp
C:\ProgramData\Windows\csrss.exe
executable
MD5: e697d27432d8b3b691328b765c8bf9e3
SHA256: 2e88e60123f0d285a09e079326d295dc28cac76e222a3f3ad96038b31ca1ea59
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: 813efa5bbf0dd1d86492a0c44c987e71
SHA256: 323bcc593d009f1f50bfcf2b76eadef2997f4e5d4d2696f7521e0cf68f8da2c6
2200
radCDD2D.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: 3b4f2853014a96138ac6dc74e59ac4b3
SHA256: d8142eb6f13ac7989839ef058f628dd8f8682d5c8d28e02da82246aa96c07592
2200
radCDD2D.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: 3361e6616397e7dd1fcb25f2df5ff78c
SHA256: 58b46efb955fd50c35db6ad85c5eaba316253b13095b404fca0488d9a4b7a93c
2200
radCDD2D.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: 402dc37b83bb048b652286f97286d837
SHA256: 882ebd8c2c87520f373d2948ce793be23f345aceac8b97ee6b36b38089bc92fa
2200
radCDD2D.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: 2c6425d871c6ce06356187162be80fc5
SHA256: 82839afb65c3bf7cb9132b0dfd4945f5a0ef403bd270383da250a67cb72bd739
2200
radCDD2D.tmp
C:\Users\admin\AppData\Local\Temp\6893A5~1\unparseable-desc
text
MD5: c099eea57f749031b521a01352b7259c
SHA256: 6583beb17f057192bb3cad1eaed257250ef2c084753a98190386da18ea029e0e
2200
radCDD2D.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\unparseable-desc.tmp
––
MD5:  ––
SHA256:  ––
2200
radCDD2D.tmp
C:\Users\admin\AppData\Local\Temp\6893A5~1\cached-microdescs.new
––
MD5:  ––
SHA256:  ––
2200
radCDD2D.tmp
C:\Users\admin\AppData\Local\Temp\6893A5~1\cached-microdescs
text
MD5: ff1af2752b49457cab78d8ee8a831f75
SHA256: 7c6fe712ece1bb01f05736aa20dae56c85d3895ab1c4d19c22d50ca01004c9f1
2200
radCDD2D.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.tmp
––
MD5:  ––
SHA256:  ––
2200
radCDD2D.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: ba3940b991a483278f8248585bdd7122
SHA256: c3da1d3403f01275346bb233e32dc66789aa92b65bfad3727a43bbe1a1769f1e
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: b62c1e6dbfbcac81dfe897fd84755709
SHA256: 7f1aa88a5ffcf665cd65ed51e2981baaf1a07806cfb898b5860c43b338ffbff5
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: 37319f6c494cca96207b005ce9077234
SHA256: 30f3ab433e10eeb325e70d08554043cc33c867db0cf64e8d77e4065f23f349fd
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: 942c0884406fedf27bbfd53b919c5345
SHA256: f3c848b614a8c4f1d4e21316ddb89f2871f87b24ca23b86ea40c930778ecce25
2364
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIb2364.36627\Информация о заказе 46-07-11-2019.xls.js
text
MD5: 1da92dc02bfbbb54a7276dc33677a599
SHA256: 3466bd5a409ea578bd4cabe3b556771a35b4cb74c1975605a5aa16a752074545
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: e68e2db2a1d2f8e329148ba1b46d6926
SHA256: 094c29cbab013c731eb2f5a419278b0dd61a9b12bd07183e470780b24c1f2f63
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: 7af647448708cabfc585ad64a3d4bf67
SHA256: 63570c51bb2ed70eb68622d31908af53354b2b09f895a807003d7ccff64fc4a8
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: bbf2644de85fc707bbb9de33f0cfbaf3
SHA256: 0516b1fd1fd1a7c54c726ac60298b45a29964251a0853d2ccc4e3de6f06f176c
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: 49c0397c3772b9258d7cd0bfd3a4c886
SHA256: 12d3ddaf5a1b16fa7eed0af142e9460b2181284f5121ceab41780cd5ff6b3029
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: 299f20ac7d8e690462ad9086b63284ed
SHA256: 947842e95f2334cdbd35f7fd53f1317c92772b3a04523ab0703c6273ade38624
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5~1\cached-microdesc-consensus
text
MD5: 9e33db2c3430a3c9dce0ffbcfcd0e139
SHA256: 6e4b70dd5a509342b92965a1cb95a6344e2e874a32a121619e1f7afce9772475
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
––
MD5:  ––
SHA256:  ––
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5~1\cached-certs
text
MD5: 6a56355b555662f088fd72c35810561e
SHA256: 3aa5808d825e3bd0bb811c427fb98034b5ff63104decb678e3d6ef72415d6948
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
––
MD5:  ––
SHA256:  ––
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5~1\unverified-microdesc-consensus
text
MD5: 9e33db2c3430a3c9dce0ffbcfcd0e139
SHA256: 6e4b70dd5a509342b92965a1cb95a6344e2e874a32a121619e1f7afce9772475
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
––
MD5:  ––
SHA256:  ––
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5~1\state
text
MD5: a55a61f14a91a72c90dab3b65626422a
SHA256: 36718c7093572d1193cc21e8385282f4d613c7e6abbc23eba9156a6c301a9c34
3416
radE51B1.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
––
MD5:  ––
SHA256:  ––
2200
radCDD2D.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
––
MD5:  ––
SHA256:  ––
2364
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRb2364.38384\Информация о заказе 46-07-11-2019.xls.js
––
MD5:  ––
SHA256:  ––
2200
radCDD2D.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: 99a6e973a2b6960a89c232e2c5646184
SHA256: 695a9cdab9cecd5a43e49034f0d2211d0934d14efccc6bd6f8560b3efcd50a6d
2200
radCDD2D.tmp
C:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.new
text
MD5: af63d70333f8ad23373fd4297e91746e
SHA256: 94442bc5beafb13f13cab3c4d040216ede7723e357eefa00cdc149546a59485a
2200
radCDD2D.tmp
C:\Users\admin\AppData\Local\Temp\6893A5~1\state
text
MD5: 4aadb62063dc1b6dd8458586325589b0
SHA256: 26bcab8e33c78536f621183a2b0fcc0251a7ee641ad1ead9e1a2a4027eff1f6c

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
4
Threats
22

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2168 WScript.exe GET 200 153.127.1.110:80 http://motez.net/.well-known/pki-validation/payments/5k54nfmdci/2c.jpg JP
executable
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2168 WScript.exe 153.127.1.110:80 SAKURA Internet Inc. JP malicious
3416 radE51B1.tmp 193.23.244.244:443 Chaos Computer Club e.V. DE suspicious
3416 radE51B1.tmp 86.59.21.38:443 Tele2 Telecommunication GmbH AT malicious
3416 radE51B1.tmp 91.33.226.223:49001 Deutsche Telekom AG DE suspicious
3416 radE51B1.tmp 95.216.61.100:9001 Hetzner Online GmbH DE suspicious
3416 radE51B1.tmp 155.98.5.5:443 University of Utah US suspicious
2200 radCDD2D.tmp 212.227.200.133:9001 1&1 Internet SE DE suspicious
2200 radCDD2D.tmp 51.254.147.57:443 OVH SAS FR suspicious
2200 radCDD2D.tmp 158.255.1.112:443 Mir Telematiki Ltd RU suspicious

DNS requests

Domain IP Reputation
motez.net 153.127.1.110
malicious
dns.msftncsi.com 131.107.255.255
whitelisted

Threats

PID Process Class Message
2168 WScript.exe A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2168 WScript.exe A Network Trojan was detected ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2168 WScript.exe A Network Trojan was detected AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
2168 WScript.exe Misc activity SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
3416 radE51B1.tmp Misc Attack ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 210
3416 radE51B1.tmp Potential Corporate Privacy Violation POLICY [PTsecurity] TOR SSL connection
3416 radE51B1.tmp Misc Attack ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 597
3416 radE51B1.tmp Potential Corporate Privacy Violation POLICY [PTsecurity] TOR SSL connection
3416 radE51B1.tmp Misc Attack ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 78
3416 radE51B1.tmp Misc Attack ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 632
3416 radE51B1.tmp Misc Attack ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 669
3416 radE51B1.tmp Misc activity ET POLICY TLS possible TOR SSL traffic
3416 radE51B1.tmp Misc activity ET POLICY TLS possible TOR SSL traffic
3416 radE51B1.tmp Potential Corporate Privacy Violation POLICY [PTsecurity] TOR SSL connection
3416 radE51B1.tmp Potential Corporate Privacy Violation POLICY [PTsecurity] TOR SSL connection
2200 radCDD2D.tmp Misc Attack ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 284
2200 radCDD2D.tmp Misc Attack ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 458
2200 radCDD2D.tmp Misc activity ET POLICY TLS possible TOR SSL traffic
2200 radCDD2D.tmp Potential Corporate Privacy Violation POLICY [PTsecurity] TOR SSL connection
2200 radCDD2D.tmp Potential Corporate Privacy Violation POLICY [PTsecurity] TOR SSL connection

2 ETPRO signatures available at the full report

Debug output strings

No debug info.