General Info

File name

SCAN_20190415_SLIP.pdf.gz

Full analysis
https://app.any.run/tasks/24d48ef4-cfbf-440f-9b1c-efaaab4247dc
Verdict
Malicious activity
Analysis date
4/15/2019, 09:17:16
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

trojan

nanocore

rat

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

ca1dd7fd7955104f061360f4e014752e

SHA1

f74a26e761e998aa01f0a9be5453120e1a7bf815

SHA256

7db8758e383d22c29613c568c9915df897c7124e46b963b116daacd4ee0dfe27

SSDEEP

12288:JzPbtetnhSkAz0rR+ig4sK7IomZ1TmJrXKLSaA+PmNpj60t+bl/Pf3LU6OGpATCB:JXtkhSD+kaszoWTmGBmjrYbh3LUOqBkT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes the autorun value in the registry
  • efg.exe (PID: 2212)
Application was dropped or rewritten from another process
  • efg.exe (PID: 2212)
  • efg.exe (PID: 2928)
  • SCAN_20190415_SLIP.exe (PID: 3088)
NanoCore was detected
  • RegSvcs.exe (PID: 368)
Connects to CnC server
  • RegSvcs.exe (PID: 368)
Application launched itself
  • efg.exe (PID: 2928)
Drop AutoIt3 executable file
  • SCAN_20190415_SLIP.exe (PID: 3088)
Executable content was dropped or overwritten
  • SCAN_20190415_SLIP.exe (PID: 3088)
Creates files in the user directory
  • RegSvcs.exe (PID: 368)
Dropped object may contain Bitcoin addresses
  • efg.exe (PID: 2928)
  • SCAN_20190415_SLIP.exe (PID: 3088)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
Deflated
ZipModifyDate:
2019:04:15 04:18:12
ZipCRC:
0x7eb8d3eb
ZipCompressedSize:
876787
ZipUncompressedSize:
931738
ZipFileName:
SCAN_20190415_SLIP.exe

Screenshots

Processes

Total processes
36
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start drop and start winrar.exe no specs scan_20190415_slip.exe efg.exe no specs efg.exe #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3716
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SCAN_20190415_SLIP.pdf.gz.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
3088
CMD
"C:\Users\admin\Desktop\SCAN_20190415_SLIP.exe"
Path
C:\Users\admin\Desktop\SCAN_20190415_SLIP.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\scan_20190415_slip.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\64982355\efg.exe

PID
2928
CMD
"C:\Users\admin\AppData\Local\Temp\64982355\efg.exe" vfd=lpr
Path
C:\Users\admin\AppData\Local\Temp\64982355\efg.exe
Indicators
No indicators
Parent process
SCAN_20190415_SLIP.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\64982355\efg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
2212
CMD
C:\Users\admin\AppData\Local\Temp\64982355\efg.exe C:\Users\admin\AppData\Local\Temp\64982355\ZMNJZ
Path
C:\Users\admin\AppData\Local\Temp\64982355\efg.exe
Indicators
Parent process
efg.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\64982355\efg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
368
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
efg.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrcompression.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

Registry activity

Total events
816
Read events
802
Write events
14
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3716
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3716
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3716
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3716
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\SCAN_20190415_SLIP.pdf.gz.zip
3716
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3716
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3716
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3716
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3088
SCAN_20190415_SLIP.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3088
SCAN_20190415_SLIP.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2212
efg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
winlogon.exe
C:\Users\admin\AppData\Local\Temp\64982355\efg.exe C:\Users\admin\AppData\Local\Temp\64982355\VFD_LP~1

Files activity

Executable files
1
Suspicious files
2
Text files
53
Unknown types
1

Dropped files

PID
Process
Filename
Type
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\efg.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3716
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3716.16663\SCAN_20190415_SLIP.exe
––
MD5:  ––
SHA256:  ––
368
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.dat
bs
MD5: 32d0aae13696ff7f8af33b2d22451028
SHA256: 5347661365e7ad2c1acc27ab0d150ffa097d9246bb3626fca06989e976e8dd29
368
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
text
MD5: 9aecf760c7b55f6d98e8acf4e6eb9440
SHA256: 43a1da54bb85fa1e1d29b175287d95d8218a6f4a7b852c2f0472d16a53db21e8
2928
efg.exe
C:\Users\admin\AppData\Local\Temp\64982355\ZMNJZ
text
MD5: 2de99f90e5b68a0cfb2cc57eceed3c6b
SHA256: 2c64ee0c671cc6a0b5448ba23064330c218fcdea1eb104d52ec76bb9fa7f2e24
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\koe.txt
text
MD5: 6ff15b586eb4ee246ee5266f8ccd3e4c
SHA256: e3b1b6d90cdd085270dff0dbdb6bb3730746c6aa0d91e36c75a0405560481e6e
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\knj.bmp
text
MD5: 2a926adda954fa2e111634eac8cb30cc
SHA256: edb37234ee33a1c129db654e92edd3e134d51ae653bce3369b4c097afaf673ec
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\upd.dat
text
MD5: a418a552a461b543eb5f5e54d04fbcba
SHA256: 30b06fa566894d64cb4078613a70f731f8bb1947cef1d99d6f6b3833a38c2157
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\lmg.jpg
text
MD5: e249ad2541b297049c41ec479fa48ca4
SHA256: c0dbba7a68c5032949100b7208b2b469199966aa12dac2b20bebe41f028ac6da
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\bpf.txt
text
MD5: 33f535100d9cab1d903e8f0cdc4c10d3
SHA256: c935e8ea203274971dda509940241b9b4a011a96432b09ef27e5d4016b360bfe
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\vdx.mp3
text
MD5: 13e48ceac70d12c8164181e22e1d709f
SHA256: b34084910669a9dd51f46dd82af4ed0dedcd2f335689075e02d7ed1abcb5c06e
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\xtu.docx
text
MD5: ddc0db2ddc082a0ce4fa1fe024c4a17e
SHA256: 7a987d384c0407348a87110bebdf8cf6d58d32e15579b7eccf41314b5256e08e
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\ouq.xl
text
MD5: 16cd5a114bed30f4a1f31790b66323ed
SHA256: 49c4cce0b2aac133e78511b819de109a4a5ad888c81eb5e8cd005c28e04c5561
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\bun.ico
text
MD5: 9219e45ad636f3bb9dfddd664073dece
SHA256: 9197421762e7ca00733221a35e0c6d32b0d6c05ccbc91040660c48b0ed70a760
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\inl.ico
text
MD5: 0275d86f677a0650aca4e5044b3823ee
SHA256: 81b781bbd636e319bf92b1034ff0ed5178a9d5e029788d66ab03a05ca90d1959
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\vrb.mp4
text
MD5: 00a1da5a0f4db5d5fc5f88a66ab8d12c
SHA256: 5e329f64a8b942354ca59f08ed1767bad2d90b676d6407590833fbc387beb1b7
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\acq.mp4
text
MD5: eca50d6287e90e32591bbacfd6d9c075
SHA256: 0459146ea732899c481e465830b251ca39079a0ea1c234f60e5de23f92653c0d
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\gde.ico
text
MD5: 205745e981e6618e373ffda041b6c75e
SHA256: dcb49882d9d2bfd2eda944f9f84c3728f2de9d66afe9bf3b6779d30971c50e84
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\lxt.pdf
text
MD5: 3bf4b60b511d2ef6257411ad0b28c235
SHA256: f48c307c0d3d3eeb524772562a0ba0e573f0070d7432b0d282fecf28defcd81c
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\cgv.pdf
text
MD5: 6f3d758c1ed2ee550c58bc9be69cc1fd
SHA256: a1c8c62253b9b3cf465eb487439ebf7405f487d0af2df3b6d8a8491d2a1f5cc1
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\xwd.ppt
text
MD5: 56dd906a95c170f9f7f9277c76bab557
SHA256: 0f0cb23d77d25c85e875916b201657a3f58a276b9a062434f2f0716108a79210
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\twc.ico
text
MD5: 7c6b9f576f3e9fd7ea4f18259352f217
SHA256: 2f5b9fab2a5ff52d2965b2694ffafb18fdf00274d445d63d2df904bf22efbfe1
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\nbw.dat
text
MD5: 1bc9269a4d35d6adcaeecf5d4e050a61
SHA256: e195e68fc3a8bc4b474a2e16a8ad3651643806d53e0c37bcf167bdcdea8a3d7a
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\xsp.icm
text
MD5: b791086c2675c2de8b00bec697202b8b
SHA256: 539788718f7a8732caebb6f6c28a175dd763b9150abca791dc5a3e100e3bf15f
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\gio.mp4
text
MD5: ea8fd213817efbb7678cf417c3b6105f
SHA256: 7c8458d650cc32357224e37916e6f7a21dc3497f7783ec21d053ee03c92a4f5d
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\mtt.ppt
text
MD5: f3712b3ebbf6e05ea1c52de03d467488
SHA256: e4bc134694472b376779d02bb242666fe13d1e3c6eabe5c9c76c67184bae2765
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\htp.ppt
text
MD5: 1dc78acbebf800352ca327200e671c29
SHA256: 747dd98efab42048a531fca99e9336db98c459aa3205e07410573c65078dbeb3
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\aou.ico
text
MD5: a21e65ffd871f0e09b8da0ac3d890bd9
SHA256: c309885c168ae7813ef85e775abb64998823231966c7685d226b2474079ef916
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\vqt.mp4
text
MD5: 548d7c532c3ea43e55684e6f1ccd193d
SHA256: 6f4ae1a32d7ac9a3fad649cc3fc67128e13d7c8db113f2cac964adaf3a7e6f42
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\vqq.jpg
text
MD5: a753104c25d6ea9352dfc8e4d77e5f33
SHA256: 8c20240bcf4d02f4db87450514f7fc49c6ac87dbfbfc8d79b1cec5cb61e0aa03
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\jgs.ppt
text
MD5: 5ff6dac64cdadffd336fc10c9b09f032
SHA256: b9dc580d46dddb87072fface454727ea517370e94b4b3ac2bb0e9240791e0cca
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\kwd.xl
text
MD5: 4e7f2250466a8a9a24b2e03c4eded369
SHA256: ab9c8a2b1b1ce4f24ead28cb137b010a5c986c12cd02f7a0e0ad30a29b34b40e
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\gpi.icm
text
MD5: 0d10e0202a630fbb1063ce95a12129f1
SHA256: f69f5f0a713a7144952b7a59c42271cd8d2ad7c6a3015569c801e3493b839c15
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\urh.docx
text
MD5: 67df0f5b806aaffb27362bab6aefc8e5
SHA256: 87c46356eeccedc78667e8de2b2da06c3f52a989b3f51a847074697799b5cf7f
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\oct.bmp
text
MD5: ccb5558a116644eef77d8849470e72f8
SHA256: 620bb5555bf36f25e2a035b8e0f51e0968a4d16cc56b0c4803d2684aa1317546
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\cee.docx
text
MD5: 4b678a9176928045651eeb76f7772f4f
SHA256: 5c7a681c8042106ff6d05a19718088bca2547df7d6d1c5c0aced86d2a1093995
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\wha.txt
text
MD5: ebb4d68217d37c9417bc10f3a1b7e76b
SHA256: 72ffecfdae7b5ba6a4351e0f535a408f5e8cf4e132a97d0dd6cb6f56fc17fd40
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\nti.pdf
text
MD5: a09046af595a187f5ef4b19495f82580
SHA256: 4d213364e8dc03f078184d3c7ee2fe234203828de26ec5412776ddd1c920362e
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\juf.icm
text
MD5: 618c9ce12f800a710742eb7b1e9519ea
SHA256: 84587739ce11be3aa2e8a14e4f376f7ca52d6efa2d68dc15582349114f3b86d3
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\xgk.pdf
text
MD5: 3850d5b7b75478394dfae02af2e05d94
SHA256: 43f452a45d09e93743ee161796f8a1e20f76fc868473faa715f8c662541c814c
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\ckx.mp4
text
MD5: c775ec3037004df7d0adf39320cb3301
SHA256: e09d95378d3c7da31a6be7b3908adbfdfd59ba9b66883d18280a680e74a01f13
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\nvs.dat
text
MD5: e35861376e532470f38096e336434d06
SHA256: 99fa2889121ffcaf8cc8fe077e0ae7923cfb4024f2afb767ca9bd14eff147525
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\kfl.bmp
text
MD5: 6e9cd056ca74f98f627e431e5ac02060
SHA256: faf503a92b8d92baab095e859baeb547b915164d33460969bd2b53d28cdecca5
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\rhq.ico
text
MD5: 33b62369b314036aaaf019199c44b5a4
SHA256: f23b4a40087e9c8bccc8b54b90bedd73ba5e80a0f856f065803d20d6cf1513ab
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\ndv.bmp
text
MD5: cbbe059e0018d4c1e98114842a094504
SHA256: e2abfc3a23bff078f1643033203f11c6a3f882f01e4a800ebcde7168df3d4b69
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\qti.icm
text
MD5: 9a7b59e076764383e6a70b429a11d7fd
SHA256: ad6fb6e9b66538b6683a66e997fb549059428d8e447cae321829ef45b2c3c573
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\foe.xl
text
MD5: a9aca3714faed490cda138220e3e9a46
SHA256: 8a2c9189cbd4c3c9830ac57b070057a7bba094f8ff672cb9468276b521da29a8
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\gdb.mp3
text
MD5: ae350fe0ca3fb4914cb2245c10347f1b
SHA256: 1026a6e7ab82fbaa48aa665c835361657ce9dba96afffa6bde72d79127950c40
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\ecl.mp4
text
MD5: 4ccb8d29d85432b076589ce963bc6300
SHA256: 6e3df85e5ddc642737ee5e2bdd1d9270916e534d10e358090eeefb4b5babf2e1
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\ltd.docx
text
MD5: d96376252bec927eab07295c48e09c00
SHA256: a6f84e346b64ce07e02422baf608ad23113523458525068f548ebc77b4e4ad2d
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\lvh.icm
text
MD5: 8f290948df5a626ac304087f0643a31d
SHA256: dfbc35c344ca895f0b7a414315abaa1912cf80c3445c54b9bbed9a76d29779cb
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\gxs.ico
text
MD5: 269bbbb2f07b2fa7dec08e70411a49ce
SHA256: 0c93e8e8b2dff3ded191c243271390956a4ed2d2ba1e8869893e03028b66d434
368
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bin
binary
MD5: 4e5e92e2369688041cc82ef9650eded2
SHA256: f8098a6290118f2944b9e7c842bd014377d45844379f863b00d54515a8a64b48
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\vfd=lpr
text
MD5: da8f905a642f020d5c68c6b1ebbdee7a
SHA256: b703e12fc1c7b49d901515e78ede115630e077e2bbe221de619ea411a4beb654
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\tpm.mp3
text
MD5: 8054b3c288e75cf9e96a12c5fcf25c31
SHA256: 1b2238013d984034038c9480b976ce3ac086e1a2177e09bd87720c7e50b1c8c9
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\StructureConstants.xl
text
MD5: 154e481a391495d42cea3b839da02e06
SHA256: f2afa22a2a86922604ee53a2f0dba27a47fe48d43288dce0e254579648e6fb01
3088
SCAN_20190415_SLIP.exe
C:\Users\admin\AppData\Local\Temp\64982355\StructureConstants.mp3
text
MD5: c54f4e37aca30151cb6f6088d00f95c5
SHA256: 53648baa066f2715afb2c180495fc005e15f5e13e58fd7b2c97a7f5e8b3b6181
368
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.dat
binary
MD5: 7e8f4a764b981d5b82d1cc49d341e9c6
SHA256: 0bd3aac12623520c4e2031c8b96b4a154702f36f97f643158e91e987d317b480

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
7
Threats
89

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
368 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
368 RegSvcs.exe 95.213.251.165:24891 OOO Network of data-centers Selectel RU malicious

DNS requests

Domain IP Reputation
zenrnarketinghyd.duckdns.org 95.213.251.165
malicious
dns.msftncsi.com 131.107.255.255
whitelisted

Threats

PID Process Class Message
368 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
368 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
368 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
368 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
368 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT

53 ETPRO signatures available at the full report

Debug output strings

No debug info.