General Info

File name

Payment slip.r00

Full analysis
https://app.any.run/tasks/84460516-d512-4c0a-b7b2-d8925273a129
Verdict
Malicious activity
Analysis date
5/15/2019, 00:51:00
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

keylogger

hawkeye

stealer

evasion

trojan

Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

5be6f6f30d87ca5daf0753c40d17e10b

SHA1

400d51e9b74d17c82ef4d115ef0ff1b76eb15ede

SHA256

6ffd492eb82a4ff227cdacb0a2fc0ac6368e649f8e4f931d55327c80bed6b9b7

SSDEEP

24576:i5/q4JX1Jx+0Z1lGq+vH5DLHCc/u6NDLRFbqBD5slNT9:idXbXvwDLFu6NHbT9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • iwa.exe (PID: 2528)
  • iwa.exe (PID: 3664)
  • Payment slip.exe (PID: 1432)
Actions looks like stealing of personal data
  • vbc.exe (PID: 1028)
  • vbc.exe (PID: 1916)
Stealing of credential data
  • vbc.exe (PID: 1916)
Detected Hawkeye Keylogger
  • RegSvcs.exe (PID: 3076)
Changes the autorun value in the registry
  • iwa.exe (PID: 2528)
Loads DLL from Mozilla Firefox
  • vbc.exe (PID: 1028)
Executes scripts
  • RegSvcs.exe (PID: 3076)
Application launched itself
  • iwa.exe (PID: 3664)
Drop AutoIt3 executable file
  • Payment slip.exe (PID: 1432)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 1440)
  • Payment slip.exe (PID: 1432)
Dropped object may contain Bitcoin addresses
  • iwa.exe (PID: 3664)
  • Payment slip.exe (PID: 1432)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
38
Monitored processes
7
Malicious processes
5
Suspicious processes
1

Behavior graph

+
drop and start start drop and start winrar.exe payment slip.exe iwa.exe no specs iwa.exe #HAWKEYE regsvcs.exe vbc.exe vbc.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1440
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Payment slip.r00"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\rar$exa1440.29818\payment slip.exe
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll

PID
1432
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa1440.29818\Payment slip.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa1440.29818\Payment slip.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
I79ES90RF71X
Description
T74KK73VJ83C
Version
J68ZG74FT75M
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa1440.29818\payment slip.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\76398576\iwa.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
3664
CMD
"C:\Users\admin\AppData\Local\Temp\76398576\iwa.exe" ldw=kvp
Path
C:\Users\admin\AppData\Local\Temp\76398576\iwa.exe
Indicators
No indicators
Parent process
Payment slip.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\76398576\iwa.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
2528
CMD
C:\Users\admin\AppData\Local\Temp\76398576\iwa.exe C:\Users\admin\AppData\Local\Temp\76398576\JATGG
Path
C:\Users\admin\AppData\Local\Temp\76398576\iwa.exe
Indicators
Parent process
iwa.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\76398576\iwa.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
3076
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
iwa.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\psapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll

PID
1028
CMD
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp5E83.tmp"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Indicators
Parent process
RegSvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual Basic Command Line Compiler
Version
8.0.50727.5420
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\vaultcli.dll
c:\program files\mozilla firefox\nss3.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\psapi.dll

PID
1916
CMD
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\admin\AppData\Local\Temp\tmp7623.tmp"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Indicators
Parent process
RegSvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual Basic Command Line Compiler
Version
8.0.50727.5420
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll

Registry activity

Total events
878
Read events
827
Write events
51
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
1440
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Payment slip.r00
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000220105000000000039000000B40200000000000001000000
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000002A01050000000000160000002A0000000000000002000000
1440
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000EC0006000000000016000000640000000000000003000000
1432
Payment slip.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1432
Payment slip.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2528
iwa.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
winlogon.exe
C:\Users\admin\AppData\Local\Temp\76398576\iwa.exe C:\Users\admin\AppData\Local\Temp\76398576\LDW_KV~1
3076
RegSvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegSvcs_RASAPI32
EnableFileTracing
0
3076
RegSvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegSvcs_RASAPI32
EnableConsoleTracing
0
3076
RegSvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegSvcs_RASAPI32
FileTracingMask
4294901760
3076
RegSvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegSvcs_RASAPI32
ConsoleTracingMask
4294901760
3076
RegSvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegSvcs_RASAPI32
MaxFileSize
1048576
3076
RegSvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegSvcs_RASAPI32
FileDirectory
%windir%\tracing
3076
RegSvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegSvcs_RASMANCS
EnableFileTracing
0
3076
RegSvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegSvcs_RASMANCS
EnableConsoleTracing
0
3076
RegSvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegSvcs_RASMANCS
FileTracingMask
4294901760
3076
RegSvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegSvcs_RASMANCS
ConsoleTracingMask
4294901760
3076
RegSvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegSvcs_RASMANCS
MaxFileSize
1048576
3076
RegSvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegSvcs_RASMANCS
FileDirectory
%windir%\tracing
3076
RegSvcs.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US

Files activity

Executable files
2
Suspicious files
0
Text files
53
Unknown types
0

Dropped files

PID
Process
Filename
Type
1440
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa1440.29818\Payment slip.exe
executable
MD5: 6deab4083dfa6579c30841efb8be8928
SHA256: 6ddedd63f0b924bf9323060f610bdaa6903bbed4faf085110a8681ca8309702a
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\iwa.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3076
RegSvcs.exe
C:\Users\admin\AppData\Local\Temp\25291068-43af-3e16-50f6-5889d9ce7904
text
MD5: 1f05d2557d21ef605a9a476d5494863a
SHA256: c54ef4925fc00f8f36f179758f5ddc52d5cbb128722a28ab99a3c3c71b28f9b3
3664
iwa.exe
C:\Users\admin\AppData\Local\Temp\76398576\JATGG
text
MD5: 02cf690f60322ef0711f0b69cb6e5538
SHA256: 9cd6cd969dbd43865f7b5b983379426d229b5337f9508831ac5df30d1507b9fc
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\fnj.docx
text
MD5: 49f2e0a8367b4fd59fa596af22415812
SHA256: c8f484986bc581e2e06fc2206bbd3b78fa0755dcf37428f18f8979ba1b29a748
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\aql.dat
text
MD5: c53c0d7542dc9d845a3f67f13cc8bf79
SHA256: 1c0d1080537c534566b7d799a3a652da81cdabdb9b9551a9ef8f968dfcc26f55
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\nad.mp4
text
MD5: 1a12fe5d639872cc39ca363d687098d7
SHA256: 8870440e58a88ebd32b76a287ae03b8825a5353fd9efcb1c772cb82f20f29e94
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\ell.bmp
text
MD5: 8ee015bf71506f2dc4993747f1496636
SHA256: ef90df5b45a5c75e29be8a7d1537940b800cf3e2b621ed18a4d47c4aabdce273
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\jpi.mp3
text
MD5: bfca6372100d17af859c4dbe4efbcc87
SHA256: 77703ba48e72062dcbbb8eecb378e46b34650307bad9853984bfd77e986fcf47
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\fta.xl
text
MD5: 941fb496089203e3bacd1c398b6bd93a
SHA256: 2d63188f5ef99f715e3a42e8eb71b891dbc5f70a30a29e35130471c19f739efd
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\pqo.icm
text
MD5: 37d2904c273c6d82de193389fa58caf2
SHA256: 05f1cb2452663d186adeedf2b711fe64f5601568cd2e887efe6347c688672979
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\gpb.ppt
text
MD5: 0bab0705b7690d186f1d028b31a71882
SHA256: 8cdc612d46026f41629f141404d2c8ba94186bab8d8f45daad2ea034071cc9f2
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\ego.xl
text
MD5: 449cd33c4d76a64e2577de8fe425f7e8
SHA256: 72ce5014aecd31d89a508569aa82882a45e4bb718af7e6edc84d610f1def5846
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\clh.icm
text
MD5: 9d598910911598b166bcb6b369654a2f
SHA256: 4da212262eadea00191f448e51934fb1fcc45b94a5d4116d3a64dc2bf3be6e14
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\jpg.dat
text
MD5: da80769bdc92e85d5320328878f31ed3
SHA256: 608ad4b1dcd5836398824415cc05e9215e042d3acd8715d9f6a94edaf2b6d2f6
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\egn.ico
text
MD5: e2bd25680fc74a7792721224b9a0460b
SHA256: 5371c3f78fc1273440a9aff8d013233701cabcd4bb729eacf27a8085438d6013
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\khr.mp4
text
MD5: efc5a57b8716ddd223910446dfc11682
SHA256: e0d247215e73002b31fa64f1153cc3d1afe5d3957544fe57cc29149e93d6ffe9
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\sbl.jpg
text
MD5: e28eca2eda6f5df8783871e867a29065
SHA256: 99f82e6860b094e702be66d89ed1292284ce24cda47b055fce4b60aea294649d
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\sqq.ico
text
MD5: 0a3ce33c05d717ce5412d738bad4e261
SHA256: 23d5a88a77a8807d673e6c7e3f11e2a039239bedf5f422de08fea1e0839bc359
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\vgo.docx
text
MD5: 9ebdbb3a2e17d4188c6d29259d8e33fb
SHA256: 475a407b7d2c97af49fa40593202a3ec1f6c1a0c12820b63dc09ed309cb7576c
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\wie.dat
text
MD5: 797c8db02676b5bf1f34c68fea4adc10
SHA256: cc4b8ea8b2f09b56ccf13854a5ab8b1686bd4a7912ef8b7d89d42f66326a0160
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\fnx.ppt
text
MD5: 56c6785ab257208156bb44005e36f132
SHA256: 48cd46740b0cbc543282a2ac737e182ad0075a7b02b7db512fffcc7f2d88f086
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\dpg.dat
text
MD5: a7019293a27ecaf55345456e7f4f0306
SHA256: 87be9d15b1bda7bfbd785d9199f396b356426a649b8432cda221742800de680f
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\ssw.icm
text
MD5: a8855960fa5407eb69123323f2b33376
SHA256: 3a187962055bf417757e9198c38351444e85f57c86b9ce7d75314fe397577d3e
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\sfm.ppt
text
MD5: 2e9ea3e6f16d04e797d726239ceb1721
SHA256: c837c44d2d2f216f66dd86d271dbcce1fdcba80045d4486dd6215dff2a42ba54
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\gfw.xl
text
MD5: 8df6352c050843f8ad29cf5b9034191c
SHA256: 631f9c2f0ea7565c7f38ad0313ffdef34883d3a6e7504b79b335f643f0b077c3
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\mkl.txt
text
MD5: a8658de01236781f1a75427e60d9b717
SHA256: f3cf4f0c5dc1b91122e439e61e954a9d5f253a35b29e95cdbb964dcddb6a11ec
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\efo.dat
text
MD5: 02d05ecd3892a24e4163e13cccff5033
SHA256: 357aab47dff6c34830b5f021c90b641475796473b558dd7a4554c8dee2d4c14d
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\qip.icm
text
MD5: 7c69a02fcf54ddcb0e1e64147a3b1abf
SHA256: 1c7065832b795097bad6d9f1ba4b596c17fdf53d5ba59cec4d0041ae17ae2837
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\lwh.ico
text
MD5: 04fea7237df47dcb74ab7e755aa31c84
SHA256: b82b0ef3b622a607ab8d2e9dbd268fe532a0cb864ef20e034aeb3b8dde1a3fbd
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\lvu.pdf
text
MD5: 2690bc01b4dd7770564573b51dc89269
SHA256: 79c08c711b082a399bac96a8e52365c4be51460438925cf76fd8a777f4cb504f
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\bpj.txt
text
MD5: caa4994c93cfbc651c2d44f87139690c
SHA256: 250fad7240a6209c40046409b82e003dd2df8a498182d46dc919e0b3f3ab49be
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\gwr.icm
text
MD5: 5aae16a286b735724c34044a6cc5d371
SHA256: 61cb577a3bb821f9969f83a0fd78a10e48a02bb0d2adf54679ef4159ab01a18f
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\koc.xl
text
MD5: 353585bfbb69400e50e8a0ce4b0c39a6
SHA256: 8d022033e3cc549e5da3064d51dd02a69b9b7420986ee4b4e1cbdb090149c041
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\wvr.bmp
text
MD5: fbe866b6c1dd09fd128149953186e2cb
SHA256: 15cd2c7ca7d035b47211f387964923fbba06399061d7876fa7c28fbf201072ef
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\svt.xl
text
MD5: 6a46289f78675dcd26fa1f5264861b77
SHA256: 99ef55ef71156e565220dc03f837527e80bd3de054c6bd4f1d71add3ed419f35
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\csv.ppt
text
MD5: 7767d3920b132dee27b9a10ce1ceb00d
SHA256: 6673505e4af1b18913f39d9b91d6734a87299fd9d2db188d53a9fd90f9e8311c
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\rhd.ppt
text
MD5: b97d65d121264e5a3876bea6ab2266c2
SHA256: 9e71ae2eef2b1f67371dcf32b31cbe651a48addc6a4f02103b7371aa13bb0511
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\ilg.txt
text
MD5: 35b5d96aeedcb7f694d037457855cf3f
SHA256: db973d4652d20444158ac31b5a283ac527554f21a76c20782c47c81799dac35a
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\etd.txt
text
MD5: 40dd483781acd2f02829412d232588d4
SHA256: 139e954fa757e0de01cb099cc5a17162ba3e59bd21aa70079328767a0657177a
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\ntf.xl
text
MD5: 92a4bc2296a4db106edadc7f3e8e0770
SHA256: d665a643e459f78eb00a398dffdd38ae4ff6885aded47c7cf3b95efc14be4fe6
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\pbh.pdf
text
MD5: 3138b3eab052e5b530d34b26a0cedb13
SHA256: e9bcf9e3da9855824dc523e2b79b09abf5f251433e1a37acd5eef50761cde35e
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\prs.ico
text
MD5: 780f7239022c2cdcceea342a4815f48e
SHA256: d4a0b7cab55e22100e17496b85bd6a1f2266f7672614ba831acf7df665663e9a
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\seb.txt
text
MD5: 6c1fe31d1fca4448a85ce3355a683176
SHA256: 5bc68c5fdb5adfb206942548efa20894fb566d70b002fa63845d6d66d4fe55a1
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\dhv.xl
text
MD5: fafa72cce4b4d9495f93d8b4727c5d9d
SHA256: e7003f2b93788277f252b84a3d37f1192e45d2e41f79d007fbb64307192eefa4
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\sxt.mp3
text
MD5: 10970fb63b9d5284ea7d1948fd33bde2
SHA256: 2bc51dee54177c07d23ead4fb2de22fe4e28f9c5e728bf387853e14ba58968f7
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\pxq.docx
text
MD5: 9285d6b650675d8b44505377d2fd66be
SHA256: b0227deb4f04de1eddf3660099b28d81fe8a4e433b200a1124dca2a2ffb0ccc6
1916
vbc.exe
C:\Users\admin\AppData\Local\Temp\tmp7623.tmp
text
MD5: 7fb9a9ad0fd9b1e0108ed71fbb276048
SHA256: 7d63c301317e144b0133a72250ae2d8e09af65a92e6a807ec58a71939fe530a9
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\ben.ppt
text
MD5: bc46799c3cc862c5757dbf4ce591ae17
SHA256: 307976ffe39a0de2b9d49c9ac987b0dd0c7799f5ccef7fc588ddbbbedbd81194
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\qbr.ico
text
MD5: e255e39cb529d92499b90d92cedba0bb
SHA256: ad45bac7f5d2e9cc9ac081dcdf0c4ce5808fcd65e08530fae4d10863dfdac315
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\bjw.xl
text
MD5: b0d4d7304c100fa68ce3ff37d0471ff1
SHA256: e5314ee2cdf309cc30a347cfbb8f7a54bb7efd57d9e181cf3f5f10228039fabb
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\FileConstants.bmp
text
MD5: 2572f3fe9aac7fc39649500186f605ed
SHA256: d79981b760506e40d80a083ec44edc9d2c257e35cea9a21415d6afb101b0f127
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\kef.mp3
text
MD5: a4aa5051259457f07d77e5c20c4d2cb0
SHA256: c2abc4e20b72366ad4ee2959cda46312c1ef0c552aa88ac5a8b14105124e826c
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\ldw=kvp
text
MD5: 800dd0fe9a090631d892155f711fefc4
SHA256: e026da3c9961781e678d665cf74dc965da19f82205dd39de6ffc04e0d09e5929
1432
Payment slip.exe
C:\Users\admin\AppData\Local\Temp\76398576\ColorConstants.xl
text
MD5: 4a2e9b9e09ab3996400a256ae6c8d37a
SHA256: e0bf1fd7de890fa87334f721536fb46c8633e5985f89520913f385cf4b05bf1b
1028
vbc.exe
C:\Users\admin\AppData\Local\Temp\tmp5E83.tmp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
3

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3076 RegSvcs.exe GET 200 66.171.248.178:80 http://bot.whatismyipaddress.com/ US
text
shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3076 RegSvcs.exe 66.171.248.178:80 Alchemy Communications, Inc. US malicious
3076 RegSvcs.exe 77.88.21.38:587 YANDEX LLC RU whitelisted

DNS requests

Domain IP Reputation
bot.whatismyipaddress.com 66.171.248.178
shared
smtp.yandex.com 77.88.21.38
93.158.134.38
213.180.204.38
87.250.250.38
213.180.193.38
shared

Threats

PID Process Class Message
3076 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] Spy.HawkEye IP Check

2 ETPRO signatures available at the full report

Debug output strings

No debug info.