General Info

File name

PO009.ace

Full analysis
https://app.any.run/tasks/9e3dd575-ec9f-4701-a260-7c3e7816f1c8
Verdict
Malicious activity
Analysis date
11/8/2018, 19:38:59
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

rat

nanocore

Indicators:

MIME:
application/octet-stream
File info:
ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid
MD5

09924535e4815ebdd8c8565a7741a1b6

SHA1

692d653733ab0809d1c138426de19c7ebbfced71

SHA256

4cacf8d91ea4670c9e2468e14b102aa1f25ea979050281663f8c780831d69ba2

SSDEEP

12288:PGroE3NESiwAv8hpvscTItFVLFuUyYCk0XVc12IaX9ueWVXfMOEUV3:uroEzXPnsck7VLFgk0XV22IaNu73

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes the autorun value in the registry
  • RegSvcs.exe (PID: 1060)
  • tlf.exe (PID: 2300)
Application was dropped or rewritten from another process
  • RegSvcs.exe (PID: 1060)
  • tlf.exe (PID: 2848)
  • PO009.scr (PID: 3124)
  • tlf.exe (PID: 2300)
NanoCore was detected
  • RegSvcs.exe (PID: 1060)
Connects to unusual port
  • RegSvcs.exe (PID: 1060)
Executable content was dropped or overwritten
  • RegSvcs.exe (PID: 1060)
  • tlf.exe (PID: 2300)
  • PO009.scr (PID: 3124)
Creates files in the user directory
  • RegSvcs.exe (PID: 1060)
Drop AutoIt3 executable file
  • PO009.scr (PID: 3124)
Dropped object may contain Bitcoin addresses
  • tlf.exe (PID: 2848)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.ace
|   ACE compressed archive (100%)

Screenshots

Processes

Total processes
37
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start drop and start drop and start winrar.exe no specs po009.scr tlf.exe no specs tlf.exe #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3644
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PO009.ace"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\program files\winrar\unacev2.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
3124
CMD
"C:\Users\admin\Desktop\PO009.scr" /S
Path
C:\Users\admin\Desktop\PO009.scr
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\po009.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\31453763\tlf.exe

PID
2848
CMD
"C:\Users\admin\AppData\Local\Temp\31453763\tlf.exe" okt=kwk
Path
C:\Users\admin\AppData\Local\Temp\31453763\tlf.exe
Indicators
No indicators
Parent process
PO009.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\31453763\tlf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
2300
CMD
C:\Users\admin\AppData\Local\Temp\31453763\tlf.exe C:\Users\admin\AppData\Local\Temp\31453763\SPBPB
Path
C:\Users\admin\AppData\Local\Temp\31453763\tlf.exe
Indicators
Parent process
tlf.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\31453763\tlf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\users\admin\appdata\local\temp\regsvcs.exe

PID
1060
CMD
"C:\Users\admin\AppData\Local\Temp\RegSvcs.exe"
Path
C:\Users\admin\AppData\Local\Temp\RegSvcs.exe
Indicators
Parent process
tlf.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\users\admin\appdata\local\temp\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\psapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

Registry activity

Total events
808
Read events
782
Write events
26
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3644
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3644
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3644
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3644
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\PO009.ace
3644
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3644
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3644
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3644
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3644
WinRAR.exe
write
HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0
Count
0
3644
WinRAR.exe
write
HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0
Name
542D4B42647265644B76737A7E794B566767537663764B5B7874767B4B43727A674B475827272E397674721717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171700
3644
WinRAR.exe
write
HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0
Size
833301
3644
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@shell32,-10162
Screen saver
3644
WinRAR.exe
write
HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0
Name
542D4B42647265644B76737A7E794B566767537663764B5B7874767B4B43727A674B475827272E397674721744DA8B60171717172F16501447F421171715171717171717151789171717171797071015171717171707710417175014171717375FF421170F17710408177104131717370F7D0E1717151713170717170F177104FB41AE1717175014141717171F7E0E171F7D0E174B790E17FAF7A260FE4D7717E9E8E8E80F16AC60D8E8AD60371771041917171716171717171717371D171717371717172F7D0E175371AF60B8C8CA6263141717677D0E176F7D0E171F171717191717170F17171714171717171717171680B5609B7D0E17161717177F790E17171517175717171717171717C343AF601717171717171717171717174F3E3014A37D0E177F790E17131717171717171717171717B6C630141B6F634A277D0E1700
3124
PO009.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3124
PO009.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2300
tlf.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
C:\Users\admin\AppData\Local\Temp\31453763\tlf.exe C:\Users\admin\AppData\Local\Temp\31453763\OKT_KW~1
1060
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe

Files activity

Executable files
4
Suspicious files
0
Text files
47
Unknown types
0

Dropped files

PID
Process
Filename
Type
1060
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
executable
MD5: be5073ae05e68612ba0fc1a3d339e64c
SHA256: 1735ba356794975169a93ee2babd33862229a1842c6e2c6a0b67366f5856894e
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\tlf.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
2300
tlf.exe
C:\Users\admin\AppData\Local\Temp\RegSvcs.exe
executable
MD5: be5073ae05e68612ba0fc1a3d339e64c
SHA256: 1735ba356794975169a93ee2babd33862229a1842c6e2c6a0b67366f5856894e
2848
tlf.exe
C:\Users\admin\AppData\Local\Temp\31453763\SPBPB
text
MD5: 731886d2edf080fdc21d92553d578400
SHA256: 2d96e1245ba1378e37f378c2acd716340df06530ed344ab2160d19ed81b3fb78
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\gmk.xl
text
MD5: 7923020393b94ad9b4cf7954cda152de
SHA256: 070607275e635d1aa60d7ed1cbbd19c38995fd20efc9c56bc37ac9d9f27a18c7
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\wuw.xl
text
MD5: 2a4ca46e83d0b5af71da36434f39d0e3
SHA256: 5a52789e12f81dcd011e0a4d89f0f1e387d8c4e5b0585277b1a0be0b719e5780
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\hop.ppt
text
MD5: 8ab16a5967cb1cbea52d5dd726188bec
SHA256: bd32e72da8bcbb69f3950ba3005e26a247111f45a2ee95a415cbe11d3ce31445
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\jrf.icm
text
MD5: d9eee47eb4e764f7f36f315c707ef9eb
SHA256: f63826c88c1a8536e9a24f1f5acdf0dfb33d291487a25fc8ad2dc22137e0f98e
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\min.pdf
text
MD5: cb8ed0dce683a2aa6bf89a5edeea1e47
SHA256: 5412176dda0d381fe039a657f51cd0b2c431a67f0b6390da3c4dae45b5bf183e
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\jdq.mp3
text
MD5: 3dcd605eaee22338db3fe716102599f9
SHA256: 6e4c7657767f18b8856af2f6af7c81ae0f9839cadbd70cc3eceea719161dd1a9
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\rjs.docx
text
MD5: 84f6439d85a190a2dab9c0192ca3125f
SHA256: e2e99322c4bc74fb14c591527ef1dbff1c71caf66fca3835e25e6a0c6cec2b65
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\fgf.dat
text
MD5: 2a73e6f2e583f5132a94508f6bdeea2a
SHA256: c7bb5d2290d3f8f014682b75e7c5f916a0ddd32a08fe71f0abf0054c7a493527
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\brr.ppt
text
MD5: 652e1543f0466c4ee3700b76e0d805b7
SHA256: 0c984282c801f356c8d8aff1cf3206f21a69a1a9fdc99a96e7442b8aedd9451a
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\qno.icm
text
MD5: 244df77d11e82b17747193e6cc0f593b
SHA256: dbf3847316e64365135200b8019cc2b1988648c26f651d09d689046c5db29b7d
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\fwl.dat
text
MD5: 3620dd0a014c0cd1946c5754ef794cbe
SHA256: cbef4329dd5497970cd9df86500a2c7423f023d637277623f212a90421c42533
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\rup.pdf
text
MD5: 8cd9a38b4fc388a5899688f7d1f20820
SHA256: 648014117838d97c152b606c6535b7b6cfdddb1e6e9f595501d40b14e609a6f2
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\ple.ppt
text
MD5: 2c5fca4d4f5509649491fefdc3dbf26c
SHA256: 1be867f07f670bc28ff903c5c9e272a5ccd97985440d40b40871c6a810045d68
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\paa.pdf
text
MD5: de0a1b10e227ed53b6824fe0e4083c99
SHA256: 151da98f0d9548079889569c3b3ee55a36488d83fb74a0a35822c50fe00169ec
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\duu.docx
text
MD5: 8c39dec9073cb54de78414b7c78f4477
SHA256: 64a4b0b76860ce0dcdc83174f4dfcfda3058c5aa068747e62a0211b17c84a341
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\xwf.mp3
text
MD5: 6f3af1846312aad7dec4e4d5540880d9
SHA256: 332870551ba7b8e960bff8741abbfeea84281c3d864485e1b4962ee4a392f0f1
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\hhk.txt
text
MD5: 23ab6138f52b4ff79fcbe47485beaddb
SHA256: 05466bf69eb045acbb5788d97e30a42308938aac34388299173a53b52c8af5d8
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\bms.docx
text
MD5: c38191a02327ff4d33826a45a2acd1c8
SHA256: 1a507a9caf0f736a0233e50ca9e424ca350877ea46af0e9c71ea72d46f34ed32
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\svl.dat
text
MD5: 97ef8ccdf025621cda0a931a296f3908
SHA256: 9720bcd7fd52ded5d52c35bf76ebe2a74484ca42d6ce59ac755c3898958f5df8
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\bxa.bmp
text
MD5: a7bd4cbf5fa62139bfa207d6de7ad381
SHA256: 573f3472a55492c0ccd95cc700956c7e4d313a6221c906c56dc5a3b14c70f2f0
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\ovk.docx
text
MD5: 9b7467b82aa815e2875db112d0d017d4
SHA256: 9bbab5b2730dd54f1210a6c9ac068e12f5b19a3390eb18e2cb28c45c7c51aeb8
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\wbt.pdf
text
MD5: ac91293d5541d35f947dbf0ded9505b5
SHA256: 56bef6b64501f910997cf77974d79d7ebb55a8e03800e4fa789bbe1584884314
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\sml.pdf
text
MD5: 973d11416e67552564f852551e740f0a
SHA256: d0cdce3871ba07408533b4e77fdad776a32155ac1726186019ab4b0adddcb288
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\qaf.txt
text
MD5: 2441dc9603986e76ef749383a632a855
SHA256: eb7e608ad969e5ea833192f7fbcd7889d526d2937f86bd482abcdb63ed60dc86
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\ent.jpg
text
MD5: 3012680f83e525ccdf15a9d94bb42351
SHA256: 4149fd355f4137888ceaf5ea6ce1d9bf2f876d229d379e5eca84daacfd38e60c
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\rjb.xl
text
MD5: 383c5a85a14471c9b88d622078508dca
SHA256: 1b270858c15a2fc29bb8c88796ea7fc831458e24cc00109f503579f67b279403
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\uik.ppt
text
MD5: 8086c839f0c76507fa3a23ad1edea071
SHA256: c74152dbfac6ab725abaf49858fee14a0f8d1571e3685f45622e361d0c9adf2e
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\ckb.jpg
text
MD5: 9b34c5b0c7b4174b06ec460e3fc08dde
SHA256: 448dba67fdaf9565010d6d405b0a74e2dcad5f9c480a8aab1d65e08296da5c62
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\tdw.icm
text
MD5: aee6cd192a02c9b77c95df0b2edfb6c4
SHA256: dee57045ff58cf389d161717156e5876a760cec8413439cd8a0ccf75ee2b4261
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\ulw.bmp
text
MD5: 3f4326c4c63f96d09a97f5e9c4fc3e7e
SHA256: ccc8940157ed8202ac5d6809ececc5a8f5bac96bcaa4b98ebb9b80c05a44ef2d
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\fjx.xl
text
MD5: 8424a653fab8a5c76495396d654aa877
SHA256: 3b63e654f55083bcf2dd49f91b4442ffaab3dc9abc867ad3a744e1db39fcc7ba
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\gri.bmp
text
MD5: 8e493787979a2353a1f72714d319edfc
SHA256: 8e03dae79630a4528b3c5f6556ad6cdaabe7b146295c067fdf213809f40edd6b
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\rdc.mp4
text
MD5: 4200b08fa72b8c639ecd99ab368ea3a9
SHA256: d9b113c3d4aea6b1490e3beb49dc0e2c12cdcf77ab743eeade527a063a736422
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\nrc.bmp
text
MD5: 352d0c8e4c9b678b28ff72f46ccf9307
SHA256: 6bdb4e1812489e02002bac34b4cf5203993b671cda4b9d71dd3a2834056b7831
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\uru.docx
text
MD5: 18c18b7e66c33f4559f7f232e2a9ed6d
SHA256: 0a9320d414ffa64e01acc8d980f8091fa8fa30d4a537c7ff20ce40e6b2b0c588
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\wwa.xl
text
MD5: f8b9b20069e9286f06cc10d082f93c71
SHA256: 553caa2ca5f97d32a5fa8ad24f4e01bd1d3ab2aaa40904c68de5a2bcbc7364b6
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\uul.pdf
text
MD5: 87e8ed4188c78b0160e357513bee3f64
SHA256: 9f4ecb1d80ff5ee72bd3c5382fda5416aeaaeb679a378afe393d0a87802db774
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\brr.mp3
text
MD5: c650d1c99b1c973dc023e4068836fa02
SHA256: 415063ffeae72476988154db4f05c5c5aa644ccf63879e3c59c66109503d5751
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\jul.docx
text
MD5: cc39ada1792a233d947c90f8ec1deb5b
SHA256: 85b1f45309e16851ea79db8dfcc6c19b75b409b4090fcdcabda028fa6eadb49f
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\njq.mp3
text
MD5: 5fcbc51d0b91e92365a8335b8f7c35d6
SHA256: 1b6b75aced89bb12c6f69f6dee72ccf5e4234bdba47d723ef7a14a90ffa256ae
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\ock.ppt
text
MD5: 4c76120ec3275ef3dff15535f9fb5894
SHA256: 42381463dcac7f3d21d9c4e1a4ffbd63cf8bc45e326ee3a0eacda484a02d0b17
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\eme.ppt
text
MD5: 9654563590d6cf4a7934ee04411710d1
SHA256: 22157976ca7ddfbfb973e76f22aa8e1ecdd91e59f687306fbb9f58816b2aafd2
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\rgv.jpg
text
MD5: 9f2927aa728c7ec6f9b8c6310ae97698
SHA256: 1a2bcaaf368a331447363003a13c3c575db4a555aae1c5f624aec949369393b6
3644
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3644.36542\PO009.scr
––
MD5:  ––
SHA256:  ––
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\okt=kwk
text
MD5: 59296b3c0b1a0b929e988b1479f6a72c
SHA256: bb0160242c1bfce0dea0e817b38b05daeb51b5a1d6b21c299c99f7313df83449
3124
PO009.scr
C:\Users\admin\AppData\Local\Temp\31453763\rvl.mp3
text
MD5: a0d75b647d83b3e412ebdee349560cd8
SHA256: 3478e35f71720dd253f3ef82bf57388c2df2454fb6039595db499d9d0d526059
1060
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
text
MD5: 0690c45aeb51f981c706fc5e1dbd0545
SHA256: c9f9e9c8660dbd07f13b3d07b37be628983cd2d56e32ab447f51a599ad30ed6c

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
15
DNS requests
2
Threats
0

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
1060 RegSvcs.exe 89.35.228.239:57356 Teen Telecom SRL RO malicious

DNS requests

Domain IP Reputation
isaacjekwu.ddns.net 89.35.228.239
malicious

Threats

No threats detected.

Debug output strings

No debug info.