General Info

File name

7a16174f3941e1a878573a3e9f500256016831464ce78b54b615d4b480e35ee7

Full analysis
https://app.any.run/tasks/b7424c91-5085-46dd-b505-593d036f347a
Verdict
Malicious activity
Analysis date
1/11/2019, 04:50:31
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

trojan

nanocore

rat

Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

28fee939dd858727fac790c9f29f5826

SHA1

4865ebcbc9ae592bed1845fffc2d67ee4f4f5d84

SHA256

7a16174f3941e1a878573a3e9f500256016831464ce78b54b615d4b480e35ee7

SSDEEP

24576:puxoZCH8Szb2xr1lQ7Q2Pe6xUgH1eOqbZSIEMea:7ZY2xx27zniSI5P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes the autorun value in the registry
  • hqc.exe (PID: 2904)
Application was dropped or rewritten from another process
  • REVISED TELEX RELEASE 0509896_igs50595.exe (PID: 4056)
  • hqc.exe (PID: 2904)
  • hqc.exe (PID: 4076)
Connects to CnC server
  • RegSvcs.exe (PID: 4068)
NanoCore was detected
  • RegSvcs.exe (PID: 4068)
Connects to unusual port
  • RegSvcs.exe (PID: 4068)
Application launched itself
  • hqc.exe (PID: 4076)
Executable content was dropped or overwritten
  • REVISED TELEX RELEASE 0509896_igs50595.exe (PID: 4056)
  • WinRAR.exe (PID: 2984)
Creates files in the user directory
  • RegSvcs.exe (PID: 4068)
Drop AutoIt3 executable file
  • REVISED TELEX RELEASE 0509896_igs50595.exe (PID: 4056)
Dropped object may contain Bitcoin addresses
  • REVISED TELEX RELEASE 0509896_igs50595.exe (PID: 4056)
  • hqc.exe (PID: 4076)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
36
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start drop and start winrar.exe revised telex release 0509896_igs50595.exe hqc.exe no specs hqc.exe #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2984
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\7a16174f3941e1a878573a3e9f500256016831464ce78b54b615d4b480e35ee7.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
4056
CMD
"C:\Users\admin\Desktop\REVISED TELEX RELEASE 0509896_igs50595.exe"
Path
C:\Users\admin\Desktop\REVISED TELEX RELEASE 0509896_igs50595.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\revised telex release 0509896_igs50595.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\30954511\hqc.exe

PID
4076
CMD
"C:\Users\admin\AppData\Local\Temp\30954511\hqc.exe" klc=jts
Path
C:\Users\admin\AppData\Local\Temp\30954511\hqc.exe
Indicators
No indicators
Parent process
REVISED TELEX RELEASE 0509896_igs50595.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\30954511\hqc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
2904
CMD
C:\Users\admin\AppData\Local\Temp\30954511\hqc.exe C:\Users\admin\AppData\Local\Temp\30954511\IFEGS
Path
C:\Users\admin\AppData\Local\Temp\30954511\hqc.exe
Indicators
Parent process
hqc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\30954511\hqc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
4068
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
hqc.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrcompression.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

Registry activity

Total events
830
Read events
797
Write events
33
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2984
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\7a16174f3941e1a878573a3e9f500256016831464ce78b54b615d4b480e35ee7.rar
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Desktop
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000300101000000000039000000B40200000000000001000000
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000003201010000000000160000002A0000000000000002000000
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000180102000000000016000000640000000000000003000000
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2904
hqc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
C:\Users\admin\AppData\Local\Temp\30954511\hqc.exe C:\Users\admin\AppData\Local\Temp\30954511\KLC_JT~1

Files activity

Executable files
2
Suspicious files
0
Text files
52
Unknown types
0

Dropped files

PID
Process
Filename
Type
2984
WinRAR.exe
C:\Users\admin\Desktop\REVISED TELEX RELEASE 0509896_igs50595.exe
executable
MD5: a40714376c43c893afb72e96bba3e130
SHA256: b147ad75d27db7ad9c23fe86fcadc4097a10d7004285f214787fa0d56a9b3d8e
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\hqc.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\sxd.pdf
text
MD5: 2eeb8fa5c1c5d8dd52efe109d0a23214
SHA256: 7b4fb3e713d8f4d9981fdc86e77de90443a648dfc2af624cbf20e729c8fd9c97
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\kjl.pdf
text
MD5: 9cee7bae509eb872040b6a8471236180
SHA256: b1b2bd82adefcdb825e383c728934d8f80e7634ce0749be07959fad862207dc2
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\rjm.bmp
text
MD5: 690ad8d8e89ea078ca76c850654bc545
SHA256: 156310fd085c6df864508d8a210b1693c8c774e1372b39465aff368788b4b986
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\hcu.bmp
text
MD5: c6d6b6f8de03885e939ec258ac8d0049
SHA256: 3f5b57d91489567f17b67c6c9e525cd1d46ab6a9b15e059e14117d16562388c9
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\sii.jpg
text
MD5: 6ba4cb6c47577caac9b720d53bb8aea7
SHA256: ba48bd952ba2850532ac420281cb190c6f66a80d867a22bc0ad2b55b9494d244
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\qun.icm
text
MD5: 0aad3cb4c0fb82c1d2860d12e82fe84b
SHA256: 21e73aae3bc42ba13df5ff9a1852769abb354fd8df62c61a50d934a357d418ee
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\xlf.pdf
text
MD5: 90744cf803822da0c54d4206787e4095
SHA256: 3dc322eee0a550a52abd35a4880e44a2cb029ad47c408a7c828a2f75d928cd5b
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\twl.ico
text
MD5: 82bfdc9fc78b483cda8756902fdfd298
SHA256: 29da136597b11192fd69c56da086120ea876fd1b0d5c627fc4f6eb459719838b
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\mwe.mp4
text
MD5: fcfa266451011686b0efc8f2b304855c
SHA256: 40f615f1f12d5f19aa27d592be7db4fb75f71eb7f7eeaec8b4e5ddb9b1858e4a
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\bqa.xl
text
MD5: bbc802f99f0035efe910bd0e7ea9791d
SHA256: 68770b81d369856a584677893452b6fcf5a5b0c7f4daf934607edb97a2f916e6
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\svf.docx
text
MD5: 0f6616867402290959aa1562683bb329
SHA256: 8b74982c9ea4ee53f02129f281a58496f9cd46677bc4b4a3dee3d32d64e4ccad
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\moh.bmp
text
MD5: 7371ad99d95f6a2e7fd5db9dfe702e55
SHA256: b0b21e31208e2722d49c747397cbe798207485c883124013ee0319ec7ca81cc7
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\qfw.txt
text
MD5: 932f14af421c1caa26867e31389fa5d3
SHA256: 01279ed663fc796612037155e23ee0c9a5ce8fbcb4894e65d509679502761c97
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\iqw.xl
text
MD5: 41d1f8c417cc109f5bbd1f7502861d36
SHA256: 957400c50802189c143a924f5068f817cc050e36c60589dfffdef99378918eda
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\koq.ico
text
MD5: 5cf357f66cfb8f596229597cc9e1d8dc
SHA256: d9e9748fe5e37e223e2b642992acd97cf083baee9a12b0d6d7ffd17ce4ee0985
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\lfj.dat
text
MD5: 9f3690fc6f08dd5802f6bb5076b7ac73
SHA256: 109c23dd5c10d75756e1bec43b5ef50913f90b3c39335cff8595741670b0c437
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\njn.bmp
text
MD5: e5275e1cc3e910c3c437df3b3aaff22b
SHA256: b455c6f966c11d3f95dfb4e94124f1e2e2915c803825fd04165fa9f6ecd4d0f1
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\kdi.jpg
text
MD5: ed01bfba1dc957acf7435baff67551ae
SHA256: c92669d6be7ab9ed494d2bb77a8c1f18cd4ae44e182c66e55fb3e57bdb5b0c17
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\enm.xl
text
MD5: c720fd5d521de9a8d611c85dbf93dc8c
SHA256: fd8cfc51e23b75302371c95416e6d38868aa0b3955cf8cd2509aaf3c3f831c93
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\jdo.mp4
text
MD5: 5be45d60ed9b4bc6049f6b0560a17a25
SHA256: 5fba95cc8622059de1a57f5af4947c56855a51af51850f61cbdf4fe8e228328a
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\cgq.mp3
text
MD5: f270057aa690a67fc5111c491774e0c5
SHA256: 5316b8ba42048a7857f90ffff1d5cb9f9bc2037c52efe816199948d93d1f2486
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\amt.dat
text
MD5: 567ae1ec4751447274fb0d1a104c0735
SHA256: 58538b8fae733aa00744758f1770d581a837c5bfd5d0f6b0f03ffeee05f685d5
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\mxw.jpg
text
MD5: b6d6f0fce7ef0b0977a4ec845a9d0fa2
SHA256: a80369fbc237240894a3c385c296ae09f49b651e7fb563de1d2e955d8fb0513a
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\odn.ico
text
MD5: 0cdeaf505e6926961fd5418d4230b07c
SHA256: 7ff4d7715d70c431da612a7cddb8e5d6fed54e83eb10888a34cf056249649ffd
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\tsm.dat
text
MD5: 90d71b882c0da36559fbd54e3fa0b2dc
SHA256: aeb509346a974e2d7646d46d2d4eb98a019a22c6780714a2a29acf2bb3112d60
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\jxc.icm
text
MD5: 6a648eca05cb8ad31d68b98744278f6f
SHA256: eac02be5988d9852d0311ee7199b7bd6282c83daf043bf8e4a46a8ed9a23392c
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\cfi.xl
text
MD5: 4f8aab9b31092b65c385aec77358b220
SHA256: 67f7b8159d195beb2ffbc0aaeb62ac876f25644bf853757581e616a4fc594737
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\sfm.jpg
text
MD5: ddd778f3a4bf54e6c36e2aae06c0cc50
SHA256: 0018828b73e8a33ae320ea17b5c730312ca9908958917760835455a1d852d22c
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\cth.ppt
text
MD5: 988d8228564468e736875aee2d407454
SHA256: 26f3ae47a82014ee2161008a5729468c9849ee2c75d39f56bd44d945d9a9e082
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\hiu.txt
text
MD5: 73b7042f506511662f923302ac904d05
SHA256: c156306969eef81c84271b5a630c7140c3ae7430edc85379e580c12b5ba1edb5
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\xvo.icm
text
MD5: 261654893dbeff446b721d95094eac1c
SHA256: f7f8514d4f7d0b3b5e867badd96f3657739b034b201a3a2010e0e44349bc5061
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\pjs.txt
text
MD5: ef9a50922e910e5258c2455c0b4b9370
SHA256: 8721fb7de6c8a4bc9af90cd4449e3e5dcde3dacbbc999427516d7d35864bac08
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\kpg.dat
text
MD5: a74b74d72603cf19cef64cbb27b3edfd
SHA256: dca35d3b7dd36ec7d18045be2aeb1bf64fdeb5e680272894810ce499d69b40c2
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\qfv.bmp
text
MD5: abda8d7db8a4ecf6f2916de5cfdf6c95
SHA256: 7572496705193efd86880a71b406cbab45df25b006b9354fd7c53e8dde557415
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\dxe.docx
text
MD5: c075f615861c652b29fc0248f6729eeb
SHA256: 458533bb3ae5383290f0c112d9ba946663256534c920679edb9140711f40ab24
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\oqh.bmp
text
MD5: 1c5c49957f96a5ece97ec36e48c91ae9
SHA256: e647e96bd55a436288c7ad33d16d89084be6b044d114de64f0606f560a055f2d
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\ixu.pdf
text
MD5: 9b7296661315ceb1a6937b65d7166960
SHA256: 1e1350a2a5fac551fcbe168b3c8220226d5333cca4152f90a8437f2de31df448
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\oae.xl
text
MD5: 25d9280044c305c8aec04993f2484bd9
SHA256: 23d850ba19642c6952664116e47e76cf0ce10c093bdfd9ed3f026ea5e5531602
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\dku.xl
text
MD5: 835ee824dd5b4e2147a4cea2264fcc6d
SHA256: ec7e02a631f8c8417fd3cc9ebea07fff3a85a41a7f90b8cc4e0e27938d8ecb55
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\hsp.bmp
text
MD5: 3e82fdbacfe9ad05fb27d1797a8bd703
SHA256: 0b673108914fa58d43422e1d2e66dbf6dbe94b44994d99308e229fb74765cd56
4076
hqc.exe
C:\Users\admin\AppData\Local\Temp\30954511\IFEGS
text
MD5: 6b7926935245608aba84601c6a5a2a9e
SHA256: 9b69d30b9b9bdbf774d6a0857e8a98b749739d81d3a8d1d528fbc90d9bbc6dc3
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\rjb.xl
text
MD5: 880b9468c340bc806cf49071635709d2
SHA256: 911420c04fe410c1ac4375492edb794599af8517f670270762181d0596cc26d7
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\gnv.ppt
text
MD5: dda5614606c7ba39dc2242aac5393c9e
SHA256: adac2bb33b1818ff676c377d03d85e6c2e4b72c43bc56472d715d41df2614276
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\pne.ppt
text
MD5: afe992af7b30a629d7a320096389c10f
SHA256: 7c1f14d93c03a81a597c31f08840ede64aa21974f4bfca8ee708ac3cba98ecf9
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\ggv.icm
text
MD5: 0be82675d89a91480a0d1533bf793e05
SHA256: 03f91cd20020ff5aeec45dbd88a8fa5b41a24f3db2649933663e8d0291b207f8
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\fwk.dat
text
MD5: eac536f5ef3d495113832e9819316424
SHA256: d5714cda00ab526f530666dd501e2b8ccc085a02ee89ab3810f753c071bc0fd4
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\bae.mp3
text
MD5: aabbcd155978dfeadb7302844c748f6c
SHA256: f0e83f51706c708cf373db49f25f4805677a8d306abe33c9ed8c0302b5ade0e1
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\set.mp4
text
MD5: 122bf182dda46e4183219e99e0bbd8fc
SHA256: de053b8fc7db35c11ddf17a7e49068ed95df198642918fed909e112fb4bdb4ae
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\krf.mp4
text
MD5: 2d91e762167abfcbf51e64a7bb7ceacd
SHA256: 93ef66ee9e2ee3d0392aa58f3ceb2747d370aebef52db89f1929455dc65a1d48
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\klc=jts
text
MD5: 3bdb628a021983ac5b801652fd87abaa
SHA256: 4dfb74e4ffbe8200a816fcf041d90a5f0f75032f44169a5ddcc19f58111eb800
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\xui.pdf
text
MD5: 7758c746c1c9a0a13c7fb679f2045914
SHA256: f8595501b63dbaaad12f4f1aa09f7de37ffcf588819fcb6b75f72626b4986c56
4056
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\xqq.mp4
text
MD5: 8243b1301a6fa54f6943d9d978a69ffd
SHA256: ccbcdcb1368987f075fc13699c6d38b95f691910c75e1bd9da445998237c4a94

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
107

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
4068 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
4068 RegSvcs.exe 185.62.189.194:1336 Dotsi, Unipessoal Lda. NL suspicious

DNS requests

Domain IP Reputation
moneymen.ddns.net 185.62.189.194
malicious

Threats

PID Process Class Message
4068 RegSvcs.exe A Network Trojan was detected SC BAD_UNKNOWN Query to a Suspicious *.ddns.net Domain
4068 RegSvcs.exe A Network Trojan was detected SC BAD_UNKNOWN Generic dynamic DNS detection
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
4068 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
4068 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
4068 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B

63 ETPRO signatures available at the full report

Debug output strings

No debug info.